Indirect Prompt InjectionCritical

ForcedLeak: CRM data exfiltration from Salesforce Agentforce

September 2025  ·  Salesforce Agentforce / Einstein AI

What happened

A malicious Web-to-Lead form submission with instructions hidden in the Description field could coerce Agentforce into running attacker commands and exfiltrating CRM data (ForcedLeak, CVSS 9.4). The exfil endpoint was an expired Salesforce-allowlisted domain the researchers re-registered for about $5.

Root cause

Weak context validation plus a CSP allowlist containing a lapsed domain let untrusted form data act as trusted instructions and reach an attacker host.

Fix / outcome

Salesforce enforced Trusted URLs for Agentforce and Einstein AI on September 8, 2025.

Sources

Noma Security writeup

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database