ForcedLeak: AI Agent risks exposed in Salesforce AgentForce (noma.security)

Noma Labs disclosed "ForcedLeak," a critical (CVSS 9.4) vulnerability chain in Salesforce Agentforce that allowed attackers to exfiltrate CRM data via an indirect prompt‑injection attack. The researchers used Salesforce’s Web‑to‑Lead feature to submit malicious payloads into the large Description field; when employees later queried Agentforce, the LLM treated embedded instructions in trusted data as executable, queried sensitive records, and exfiltrated results (via crafted image/URL requests) to an attacker-controlled server. A crucial enabler was a Content Security Policy whitelist that included an expired domain (my-salesforce-cms.com) which an attacker could re-purchase and use as a trusted exfiltration channel. Noma produced a proof‑of‑concept, reported the issue July 28, 2025; Salesforce mitigated the immediate risk by enforcing Trusted URLs for Agentforce and Einstein AI (patches rolled out Sept 8) and re-secured the expired domain. ForcedLeak highlights how autonomous AI agents expand the attack surface beyond classic chatbots: knowledge bases, internal memory, tool invocations and downstream integrations can all be weaponized via indirect prompt injection. Implications include large blast radii (lateral movement across integrations), time‑delayed stealth attacks, and regulatory exposure from CRM leaks. Recommended mitigations: enforce trusted URL whitelists, strict input validation and prompt‑injection detection on user‑controlled fields, sanitize untrusted data, audit lead records, and treat AI agents as production systems with runtime guardrails and inventorying to limit scope and tool access.