Summary of the ForcedLeak disclosure
Israeli cybersecurity firm Noma Security disclosed a critical vulnerability in Salesforce’s AI agent platform, Agentforce. The flaw, named ForcedLeak, was evaluated with a CVSS score of 9.4, marking it as a high-severity security issue. Salesforce issued a patch after the disclosure, but the incident highlights emerging risks tied to autonomous AI agents and their ability to interact with sensitive business data stored in CRM systems.
How the vulnerability operates
Agentforce relies on autonomous AI agents to analyze incoming leads, craft marketing responses, interact with clients, and log interactions within the CRM. The vulnerability arose from an indirect prompt injection technique that manipulated an AI agent into loading an external resource. Specifically, an attacker could submit a normal lead form that secretly instructs the agent to fetch an image from an external URL. The request was crafted so that the agent would treat the operation as part of routine lead handling, and the information embedded in the CRM (names, contact details, lead summaries, etc.) would be carried along in the outgoing request to the attacker-controlled server.
To make the exploit credible, the attacker purchased an old, previously validated domain that had an established trust relationship with Salesforce. This domain purchase, costing only a few dollars, helped the malicious request appear legitimate to the AI agent, bypassing basic trust checks and enabling the exfiltration to occur without explicit user consent.
What data could be exposed
The risk involved not the Salesforce platform itself, but the customer and lead data stored in the organizations using Agentforce. Potentially exposed information includes client contact details, lead data, marketing and sales notes, and internal deal status. In short, a company using a CRM to capture and manage leads could see sensitive business information leak to an external party through a seemingly ordinary lead submission.
Broader implications for AI agents and data security
The ForcedLeak case underscores a broader shift in cybersecurity: the rise of autonomous AI agents that perform tasks with limited human oversight. Traditional security controls—focused on preventing user-initiated actions like clicking a link—may be ill-equipped to detect and mitigate covert prompts and external data fetches executed by AI agents themselves. This incident argues for new guardrails around autonomous agents, including strict controls on external content loading, tighter domain validation, and stronger access controls on the data agents can interpret or transmit.
Remediation and best practices
In response to such threats, organizations should consider several protective measures. These include:
– Enforcing strict external content loading policies and whitelisting trusted domains only.
– Implementing robust domain attestation and verification to prevent domain spoofing.
– Requiring explicit human confirmation for actions that involve data exfiltration or integration with external services.
– Enhancing monitoring and anomaly detection focused on AI agent behavior, including unusual data payloads and atypical lead processing patterns.
– Conducting regular security assessments of AI agents, prompt libraries, and integration points with CRM systems.
About Noma Security
Founded in 2023 by a team of Israeli cybersecurity entrepreneurs, Noma Security offers AI risk discovery and management tools designed to help organizations adopt intelligent technologies without compromising security and compliance. The ForcedLeak disclosure adds to the growing emphasis on securing autonomous AI workflows in modern enterprise environments.
What this means for Salesforce users
For companies relying on Agentforce or similar AI-enabled CRM integrations, the ForcedLeak incident is a reminder to review data-handling policies, tighten domain controls, and ensure that AI agents operate within clearly defined guardrails. While Salesforce patched the vulnerability, ongoing vigilance and proactive risk management are essential to safeguard customer data in an era of increasingly autonomous AI agents.
