Cybersecurity researchers have revealed a serious flaw affecting Salesforce AgentForce, the platform for building artificial intelligence (AI) agents.
The vulnerability is codenamed CodeNed ForcedLeak (CVSS score: 9.4) by NOMA Security, which discovered and reported the issue on July 28, 2025. Use Salesforce AgentForce with the Web-to-LEAD feature to impact any organization.
“The vulnerability illustrates how AI agents present a fundamentally different, expanded attack surface compared to traditional rapid response systems,” NOMA security research leader Sasi Levi said in a report shared with Hacker News.
One of the most serious threats facing today’s Generating Artificial Intelligence (GENAI) systems is indirect rapid injection. This can result in malicious instructions when an external data source accessed by the service is inserted, and otherwise generates content that is prohibited or takes an unintended action.
The attack path demonstrated by NOMA is seemingly simple in that it uses a read-format description field from the web to perform malicious instructions using a quick injection.
This is done in five steps –
The attacker submits a web-to-lead form with a malicious description Internal employee process using leads using standard AI queries to process incoming leads.
“By taking advantage of the weaknesses of contextual validation, overly tolerant AI models behaviour and content security policy (CSP) bypass, attackers can create lead submissions from malicious webs that run illicit commands when AgentForce handles them,” says Noma.
“Working as a simple execution engine, LLM has the ability to distinguish between legitimate data loaded in that context and malicious instructions that should only be executed from trusted sources, resulting in leaking critical sensitive data.”
Salesforce then relocated the expired domain, deployed patches that prevented the output of AgentForce and Einstein AI agents, and implemented the URL Allowlist mechanism, which prevented them from being sent to untrusted URLs.
“Our underlying service, Powering AgentForce, forces a trusted URL Allowlist to prevent malicious links from being called or generated via potentially rapid injections,” the company said in an alert issued earlier this month. “This provides important detailed control over sensitive data that escapes the customer system via external requests after successful rapid injection.”
In addition to applying the Recommended Salesforce action to enforce a trusted URL, users are encouraged to audit existing lead data for suspicious submissions that contain unusual orders.
“The ForcedLeak vulnerabilities underscore the importance of proactive AI security and governance,” Levi said. “It serves as a strong reminder that even low-cost findings can prevent millions of people with damages for potential violations.”
Source link
