Security researchers have uncovered a critical vulnerability in Salesforce's AI-powered Agentforce platform that allowed attackers to steal sensitive customer relationship management (CRM) data through a simple $5 expired domain purchase and sophisticated prompt injection attack.
The vulnerability, dubbed "ForcedLeak," earned a critical CVSS score of 9.4 and could have affected any organization using Salesforce Agentforce with Web-to-Lead functionality – a feature commonly deployed at conferences and marketing campaigns to capture prospect information.
Noma Security Labs discovered the flaw exploited "indirect prompt injection," where attackers embedded malicious instructions within seemingly legitimate Web-to-Lead form submissions. When employees later queried the AI about lead data, the system inadvertently executed hidden commands, treating attacker instructions as legitimate system prompts.
"Unlike traditional chatbots, AI agents present a vastly expanded attack surface that extends well beyond simple input prompts," the researchers noted. The attack leveraged Agentforce's ability to autonomously reason and execute multi-step workflows – the very capabilities that make AI agents powerful business tools.
The critical breakthrough came when researchers discovered Salesforce's Content Security Policy whitelisted an expired domain (my-salesforce-cms.com) that could be purchased for just $5, creating a trusted channel for data exfiltration.
Proof-of-Concept Demonstrated Real Risk
The attack worked by submitting Web-to-Lead forms containing malicious payloads in description fields. When employees made routine queries like "check the lead with name Alice Bob," the AI processed both the legitimate request and embedded attack commands, ultimately generating image requests that transmitted CRM data to attacker-controlled servers.
Salesforce responded immediately upon notification, implementing Trusted URLs Enforcement for Agentforce and Einstein AI on September 8, 2025, and re-securing the expired domain.
"Salesforce is aware of the vulnerability reported by Noma and has released patches that prevent output in Agentforce agents from being sent to untrusted URLs," a Salesforce spokesperson told Cyber Kendra. "The security landscape for prompt injection remains a complex and evolving area, and we continue to invest in strong security controls and work closely with the research community to help protect our customers as these types of issues surface."
"This vulnerability extends far beyond simple data theft," researchers warned. The attack demonstrates how AI agents create new attack vectors where prompt injection becomes weaponized and human-AI interfaces become social engineering targets.
Security experts recommend organizations maintain centralized AI agent inventories, implement runtime prompt injection detection, and enforce strict input validation on all external data sources feeding AI systems. As AI agents become integral to business operations, traditional security controls must evolve to address these fundamentally new threat vectors.