TWO recently fixed prompt injections in Salesforce Agentforce and Microsoft Copilot could have allowed an external attacker to exfiltrate sensitive data, according to Capsule Security. In Salesforce, the flaw dubbed “PipeLeak” could be triggered via a public-facing CRM lead form, causing the agent to treat untrusted inputs as trusted prompts and list leads sent back to the attacker.
Microsoft Copilot’s vulnerability, referred to as “ShareLeak” (CVE-2026-21520), could have enabled malicious code in a SharePoint form input to trigger Copilot data exfiltration to an attacker-controlled email, with safety mechanisms failing to prevent the leakage. Capsule Security notes the attacks required no complex exploit and centred on prompt-injection techniques that override intended agent behaviour.
Both vendors have addressed the flaws, while Salesforce emphasises configuration-related aspects and the option to enable human-in-the-loop controls to mitigate data transfers. 15 April 2026.