ForcedLeak flaw in Salesforce Agentforce exposes CRM data via Prompt Injection

Noma Labs researchers discovered a critical vulnerability, named ForcedLeak (CVSS 9.4), in Salesforce Agentforce that could be exploited by attackers to exfiltrate sensitive CRM data through an indirect prompt injection attack.

The vulnerability only impacts organizations using Salesforce Agentforce with the Web-to-Lead functionality enabled.

“By exploiting weaknesses in context validation, overly permissive AI model behavior, and a Content Security Policy (CSP) bypass, attackers can create malicious Web-to-Lead submissions that execute unauthorized commands when processed by Agentforce.” reads the report published by Noma Labs. “The LLM, operating as a straightforward execution engine, lacked the ability to distinguish between legitimate data loaded into its context and malicious instructions that should only be executed from trusted sources, resulting in critical sensitive data leakage”

https://securityaffairs.com/182676/hacking/forcedleak-flaw-in-salesforce-agentforce-exposes-crm-data-via-prompt-injection.html