Enterprise AI brokers are purported to streamline workflows. As an alternative, two contemporary findings present they will simply as simply streamline knowledge exfiltration.
Safety researchers have uncovered prompt-injection vulnerabilities in each Microsoft Copilot Studio and Salesforce Agentforce that permit attackers to execute malicious directions by way of seemingly innocent prompts.
In line with Capsule Safety findings, SharePoint kinds and public-facing lead kinds inside Copilot are susceptible to attackers issuing prompts that may override system intent and set off knowledge exfiltration to attacker-controlled servers.
Certainly one of these flaws has already been assigned a high-severity CVE, with one other “essential” one reportedly lacking the bar for categorization. The failings can permit theft of PIIs, buyer/lead data, free-text enterprise context, and operational/workflow knowledge.
In each instances, AI brokers deal with untrusted consumer enter as trusted directions, Capsule researchers famous within the disclosures shared with CSO forward of their publication on Wednesday.
ShareLeak: SharePoint kinds knowledge leaked by way of Copilot
The Microsoft-side difficulty, dubbed “ShareLeak,” is about how Copilot Studio brokers course of SharePoint type submissions. The assault begins with a crafted payload inserted into a regular type area, like “feedback”, which the agent later ingests as a part of its operational context.
As a result of the system concatenates consumer enter with system prompts, the injected payload overrides the agent’s unique directions. The mannequin is thus tricked into believing the attacker’s directions are authentic system directives. The malicious enter strikes from type submission to agent execution with none resistance.
As soon as compromised, the agent can entry related SharePoint Lists and extract delicate buyer knowledge, together with names, addresses, telephone numbers, and ship it externally by way of electronic mail. The researchers discovered that even when Microsoft’s security mechanisms flagged suspicious habits, the information was exfiltrated.
The foundation trigger is that there is no such thing as a dependable separation between trusted system directions and untrusted consumer knowledge. Within the current setup, the AI can’t distinguish between the 2, the researchers mentioned.
Microsoft patched the difficulty following disclosure, assigning CVE-2026-21520 to it and assessing its severity at 7.5 out of 10 on the CVSS scale. The mitigation was carried out internally, and no additional motion is required from the customers.
PipeLeak: Salesforce Agentforce hijacked by a easy lead
Within the Salesforce Agentforce case, attackers embed malicious directions inside a public-facing lead type. When an inner consumer later asks the agent to overview or course of that lead, the agent executes the embedded directions as in the event that they have been a part of its activity.
In line with a Capsule demonstration, the agent retrieves CRM knowledge by way of the “GetLeadsInformation” operate after which sends it externally by way of electronic mail.
The compromise isn’t restricted to a single report. Researchers demonstrated {that a} hijacked agent may question and exfiltrate a number of lead data in bulk, successfully turning a single type submission right into a database extraction pipeline.
The researchers mentioned Salesforce acknowledged the immediate injection difficulty however characterised the exfiltration vector as “configuration-specific,” pointing to non-compulsory human-in-the-loop (HITL) controls. Capsule’s pushback on that framing argues that requiring handbook approvals undermines the very objective of autonomous brokers.
The deeper difficulty, they famous, is insecure defaults. Methods designed for automation mustn’t permit untrusted inputs to redefine agent targets.
Each disclosures converge on a baseline that requires treating all exterior inputs as untrusted and having filters in place that separate knowledge from directions. This might entail implementing enter validation, least-privilege entry, and strict controls on actions like outbound electronic mail.
