“ForcedLeak” Vulnerability in Agentforce Platform Addressed by Salesforce

The dangerous “ForcedLeak” flaw in Salesforce’s Agentforce platform has been addressed with a patch, plugging a hole that made it possible for attackers to exfiltrate sensitive data via a prompt injection.

The flaw impacted Salesforce Agentforce installations with “Web-to-Lead” functionality enabled. An attacker with access to an allowlisted domain had the ability to plant malicious instructions in lead forms that would be taken up by the generative artificial intelligence (GenAI) system; the particular domain that was exploited had expired without being renewed by Salesforce and had become available to the public for what was reportedly a trivial amount of money.

Serious vulnerability was trivial to exploit with the right domain access

ForcedLeak was discovered and published in July 2025, and assigned a CVE score of 9.4 given its potential severity. While an attacker needed to have access to a particular approved domain to exploit it, the rest of the process consisted of a relatively simple prompt injection granting the ability to exfiltrate Agentforce’s stores of sensitive information.

The attacker could merely submit a Web-to-Lead form containing a malicious description. An internal employee would then process the lead using a standard AI query. Agentforce would then execute the malicious instructions, and the system would query the CRM for sensitive information on leads. That data was then passed on to the attacker-controlled whitelisted domain in the form of a PNG image.

While this all would not have worked without the attackers having access to the overlooked domain that had expired, the AI agent was otherwise trivially fooled by the embedded malicious instructions and seemed to lack the capability to discern that an attack attempt was taking place. Salesforce has responded to the vulnerability by gaining ownership of the expired domain and issuing patches to Agentforce and its Einstein AI agent.

Information about leads that could potentially be extracted from source data kept in the environment in this way includes names and contact information, identification numbers, personal health information and banking information, though it would depend greatly on the individual customer’s setup.

Similar vulnerabilities likely present in other AI agents

The attack type described here is generally referred to as an “indirect prompt injection,” and this category has become a very common way for attackers to breach GenAI system guardrails and convince them to execute malicious or otherwise prohibited instructions.

Security researchers point out that common issues with dependencies and limitations in the implementation of guardrails have opened the door for this kind of attack, and that it should be expected to appear in all sorts of Retrieval-Augmented Generation (RAG) agents.

In terms of hardening against this particular approach, Salesforce has recommended auditing incoming lead data for unusual injections and implementing strict input validation to pick up on prompt injection attempts before they can be executed. Other relevant hardening methods include disabling Email Tool usage when untrusted inputs are involved, and setting a requirement of a manual review before any emails containing CRM data are sent.