EXECUTIVE SUMMARY:
CVE-2026-21520 with a CVSS score of 7.5 is a prompt injection vulnerability affecting Salesforce Agentforce and Microsoft Copilot. The vulnerability exists in Salesforce's Agentforce, which processes lead form inputs as trusted instructions rather than untrusted data, allowing an attacker to embed malicious prompts that override the agent's intended behavior. An attacker can exploit this vulnerability by inserting malicious instructions into an untrusted lead capture form, which is a public-facing customer relationship management (CRM) form on the Salesforce customer's website. The attacker can then instruct the agent to send sensitive data, such as leads, to an attacker-controlled email. This vulnerability grants the attacker access to sensitive data, enabling them to exfiltrate customer information. If exploited, this vulnerability can have significant business impacts, including data breaches and compromised customer relationships. Additionally, Microsoft's Copilot vulnerability, also known as "ShareLeak," requires a more complex command to override intended AI agent behavior but is similarly triggered by a customer-facing form.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-21520 with a CVSS score of 7.5 is a prompt injection vulnerability affecting Salesforce Agentforce and Microsoft Copilot. The vulnerability exists in Salesforce's Agentforce, which processes lead form inputs as trusted instructions rather than untrusted data, allowing an attacker to embed malicious prompts that override the agent's intended behavior. An attacker can exploit this vulnerability by inserting malicious instructions into an untrusted lead capture form, which is a public-facing customer relationship management (CRM) form on the Salesforce customer's website. The attacker can then instruct the agent to send sensitive data, such as leads, to an attacker-controlled email. This vulnerability grants the attacker access to sensitive data, enabling them to exfiltrate customer information. If exploited, this vulnerability can have significant business impacts, including data breaches and compromised customer relationships. Additionally, Microsoft's Copilot vulnerability, also known as "ShareLeak," requires a more complex command to override intended AI agent behavior but is similarly triggered by a customer-facing form.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you update Salesforce Agentforce to version 22.5 or later.
We recommend you update Microsoft Copilot to version 2023.03.15 or later.
REFERENCES:
The following reports contain further technical details:
https://www.darkreading.com/cloud-security/microsoft-salesforce-patch-ai-agent-data-leak-flaws