Capsule Security disclosed two production AI agent prompt injection vulnerabilities this week affecting Microsoft Copilot Studio and Salesforce Agentforce, with the critical finding that Microsoft’s four-month-old patch for the Copilot Studio flaw did not fully prevent data exfiltration. Salesforce confirmed today that it has “remediated the specific scenario described” and enabled Human-in-the-Loop confirmation by default for email-based agentic actions, according to VentureBeat.
ShareLeak: The Patch That Didn’t Hold
The Copilot Studio vulnerability, which Capsule Security named ShareLeak, exploits how agents process SharePoint form submissions. Microsoft assigned it CVE-2026-21520 with a CVSS score of 7.5 and patched it on January 15, 2026, after Capsule reported it on November 24, 2025.
The attack works by inserting a crafted payload into a standard form field like a comment box. According to CSO Online, Copilot Studio concatenates user input with system prompts with no input sanitization between the form and the model. The injected payload overrides the agent’s original instructions, directing it to query connected SharePoint Lists for customer data and send it to an attacker-controlled email address via Outlook.
Microsoft’s own safety mechanisms flagged the request as suspicious during Capsule’s testing, according to VentureBeat. The data exfiltrated anyway. The DLP never fired because the email was routed through a legitimate Outlook action that the system treated as an authorized operation.
Carter Rees, VP of Artificial Intelligence at Reputation, described the failure to VentureBeat: “The LLM cannot inherently distinguish between trusted instructions and untrusted retrieved data. It becomes a confused deputy acting on behalf of the attacker.” OWASP classifies this attack pattern as ASI01: Agent Goal Hijack.
Microsoft’s decision to assign a CVE to a prompt injection in an agentic platform is itself notable. Capsule’s research calls it “highly unusual,” according to VentureBeat. Microsoft previously assigned CVE-2025-32711 (CVSS 9.3) to EchoLeak in M365 Copilot, but that targeted a productivity assistant, not an agent-building platform. NVD classifies the ShareLeak attack as low complexity, requiring no privileges.
PipeLeak: Agentforce’s Parallel Vulnerability
Capsule Security found a parallel vulnerability in Salesforce Agentforce, which it named PipeLeak. A public lead form payload hijacked an Agentforce agent with no authentication required. According to CSO Online, the hijacked agent retrieved CRM data via the “GetLeadsInformation” function and sent it externally via email. Capsule found no volume cap on the exfiltrated data.
Salesforce has not assigned a CVE or issued a public advisory for PipeLeak as of the original disclosure, according to both VentureBeat and CSO Online. However, after VentureBeat’s publication today, a Salesforce spokesperson stated the company has “remediated the specific scenario described” and that Human-in-the-Loop confirmation is now enabled by default for email-based agentic actions.
Capsule is not the first research team to hit Agentforce with indirect prompt injection. Noma Labs disclosed ForcedLeak (CVSS 9.4) in September 2025, and Salesforce patched that vector by enforcing Trusted URL allowlists. According to Capsule’s research published by VentureBeat, PipeLeak survives that patch through a different channel: email routing.
The Architectural Problem
Both vulnerabilities converge on the same underlying architecture flaw: AI agents treat untrusted user input as trusted instructions. A form submission, a comment field, a lead form entry are all data, but agents process them as potential directives. Patching individual attack vectors does not eliminate the class of vulnerability.
Every enterprise security team running Copilot Studio with SharePoint form triggers or Agentforce with email-based actions should audit their deployments immediately, regardless of patch status. “Patched” and “not exploitable” are, as this week demonstrated, two different things.