PipeLeak: The Lead That Stole Your Database - Exploiting Salesforce Agentforce With Indirect Prompt Injection

‍‍Capsule research team discover a critical prompt injection vulnerability in Salesforce Agentforce that allows attackers to exfiltrate CRM data through a simple lead from a form submission. No authentication required.

Key Findings

• Zero Authentication Required - Attackers can exploit this vulnerability through public-facing lead forms without any credentials or special access.
• No Instruction Isolation - Lead form data is concatenated directly into the agent's prompt context, allowing injected instructions to override system behavior.
• Unrestricted Email Tool - The Email Tool can send CRM data to arbitrary external addresses without validation or human approval gates.
• Bulk Data Access - Hijacked agents can query and exfiltrate multiple Lead records beyond the single record being processed.

Executive Summary

A prompt injection vulnerability exists in Salesforce Agentforce when processing untrusted lead data. An attacker can embed malicious instructions inside a standard lead form submission that are later executed by an Agent Flow with email capabilities.

When an internal employee asks the agent to review or analyze the lead, the agent complies with the attacker’s embedded instructions while exfiltrating sensitive data to an external email address. This results in unauthorized data disclosure and potential mass exfiltration of CRM data.

‍

Disclosure Timeline

December 2025 - Capsule Research discovers the vulnerability and reports to Salesforce

January 2026 - Salesforce acknowledges receipt and begins investigation

February 2026 - Salesforce provides official response (see Vendor Response section)

April 15, 2026 - Public disclosure

What is Salesforce Agentforce?

Salesforce is the world's #1 Customer Relationship Management (CRM) platform, used by over 150,000 companies to manage their most sensitive business data: customer PII, sales pipelines worth millions, support cases, and proprietary business intelligence. For most organizations, Salesforce is the central nervous system of their revenue operations.

‍

Agentforce, launched in late 2024, is Salesforce's AI agent platform that goes beyond simple chatbots. These agents can take real actions autonomously: qualifying leads, resolving support cases, sending emails, updating records, and orchestrating complex workflows without human intervention. The combination of deep CRM data access and powerful action capabilities makes Agentforce incredibly useful for automation, but also creates a significant attack surface when processing untrusted input.

The Vulnerability

This vulnerability maps to ASI01 in the OWASP Top 10 for Agentic Applications 2026. The attack manipulates the agent's objectives through prompt-based manipulation embedded in untrusted data sources, causing the agent to execute attacker-controlled instructions while appearing to perform legitimate operations.

‍

The vulnerability stems from a fundamental architectural flaw: Agent Flows process Lead form inputs as trusted instructions rather than untrusted data. Because Lead forms accept arbitrary text from external, unauthenticated users, an attacker can embed malicious prompts that override the agent's intended behavior.

‍

Environment Configuration

To demonstrate this vulnerability, we built a realistic Agentforce deployment using custom topics and actions. The configuration follows standard patterns that many organizations would implement for lead management automation.

‍

Lead Capture Form

We created a public-facing lead form using Salesforce Digital Experiences with standard fields: Name, Email, Company, and a free-text "How can we help?" description field. The form saves submissions directly to the Lead object - a typical configuration for contact forms, support requests, or event registrations.

‍

Agent Actions (Flows)

Two custom flows power the agent:

• GetLeadsInformation - Retrieves lead records from the database, returning fields like name, email, and description
• AgentEmailSender — Sends emails using Salesforce's standard email action with configurable recipient, subject, and body

‍

Agent Configuration

The "Leads Management Helper" agent was configured with a single topic linking natural language requests to our flows. The agent user requires Read access to the Lead object and the Description field. 

‍

This represents a minimal, typical setup. No unusual permissions or exotic configurations.

Proof of Concept

1. Attacker Submits Malicious Lead

The attacker submits a lead containing an embedded prompt injection payload designed to override agent instructions.

‍

‍

After the submission, we were able to see the entry in our internal view:

2. Internal Employee Requests Review

An unsuspecting employee asks the agent: "Please review and analyze the submitted Salesforce lead."

‍

‍

3. Agent Executes Malicious Instructions

The agent interprets the attacker's embedded prompt as legitimate instructions, accesses lead records, and exfiltrates data via the Email Tool.

‍

That’s it. Simple as that.

‍

Vendor Response

Salesforce provided the following response to our disclosure:

"Thank you for sharing the requested details. After a further review of your report, we've identified two distinct items to address: 

Prompt Injection: Our Product security and engineering teams are already working on it. 

Data Exfiltration via Custom Actions: We have determined this is a configuration-specific issue rather than a platform-level vulnerability. To ensure security, our out-of-the-box (OOTB) email actions require Human-in-the-loop (HITL) oversight. The same HITL requirement is available as a configuration setting for your custom actions to prevent unintentional data transfers/actions."

Our Take

We appreciate Salesforce's acknowledgment of the prompt injection issue. However, their characterization of the data exfiltration as a "configuration-specific issue" deserves scrutiny.

The suggestion that organizations should simply enable "Human-in-the-Loop" (HITL) for custom actions fundamentally misunderstands why people deploy AI agents in the first place. 

The entire value proposition of Agentforce is autonomous action. If every email requires human approval, you haven't built an AI agent, you've built a very expensive draft generator.

Technically accurate? Perhaps. A reasonable security model for a product marketed as "autonomous"? Absolutely not.

The real issue isn't whether HITL exists as an option. It's that the default behavior allows untrusted data to hijack agent goals without any warning or guardrails. Organizations deploying Agentforce for automation are unlikely to enable approval gates that defeat the purpose of automation. Secure defaults matter.

Conclusion

This vulnerability demonstrates a critical truth about AI agents in enterprise environments: the attack surface has fundamentally changed. A simple lead submitted in a conference can become a severe data leak vector. 

‍

As organizations rapidly adopt AI agents like Agentforce to automate critical business processes, they inherit new risks that existing security tools weren't designed to address. The attacker in this scenario needed no credentials, no network access, and no technical exploitation skills, just an understanding of how LLMs process instructions.

‍

The implications extend beyond Salesforce. Any AI agent that processes untrusted input while maintaining access to sensitive data or powerful actions is potentially vulnerable to similar attacks.

How to protect

To mitigate this vulnerability, organizations using Agentforce should implement the following controls:

1. Strict Instruction Isolation

Treat all Lead form inputs as untrusted data. Never allow user-supplied content to define agent goals or actions. Implement clear boundaries between system instructions and user data.

‍

2. Tool Usage Restrictions

Disallow Email Tool usage when processing untrusted inputs. Require explicit, hard-coded approval steps for any outbound communication containing CRM data.

‍

3. Prompt Injection Defense

Apply input sanitization and prompt-boundary techniques. Use system-level instructions that explicitly forbid executing commands found in user data.

‍

4. Human-in-the-Loop Approval

Require manual review before sending any external emails containing CRM data. Implement confirmation dialogs for sensitive operations.

‍

5. Audit Logging & Alerting

Log all agent actions involving data access and external communication. Alert on unusual email destinations or large data payloads.

‍

How Capsule can help

Capsule Security provides a dedicated security layer that monitors, governs, and blocks agentic actions in real-time, preventing data leakage and protecting system integrity.

‍

With Capsule, you can detect and block scenarios like this vulnerability by simply connecting your Agentforce deployment.

‍