TL;DR: Salesforce patched the ForcedLeak flaw in Agentforce after researchers showed that indirect prompt injection could exfiltrate CRM data through a whitelisted domain, with exploitation enabled by an expired allowlisted domain and Web-to-Lead workflows. The incident shows that approval boundaries and input trust assumptions collapse when generative systems execute instructions from untrusted content.
At a glance
What this is: ForcedLeak was a high-severity indirect prompt injection flaw in Salesforce Agentforce that could exfiltrate sensitive CRM data through Web-to-Lead workflows and a whitelisted domain.
Why it matters: It matters because AI agent governance has to cover tool use, input trust, and delegated execution, not just model output filtering or conventional IAM controls.
By the numbers:
- ForcedLeak was discovered and published in July 2025, and assigned a CVE score of 9.4 given its potential severity.
👉 Read Swarmnetics's analysis of the ForcedLeak Agentforce vulnerability
Context
ForcedLeak is an indirect prompt injection problem, which means the malicious instruction arrives through data the system is expected to process rather than through an obvious user action. In practice, that turns ordinary lead intake into a control boundary issue for AI agent identity, because the system can be induced to act on content that should have remained inert.
For IAM and NHI programmes, this matters because agent behaviour is not governed only by login state or API access. When a system can read lead data, call tools, and pass results to external destinations, the identity question becomes whether the agent can be steered by untrusted input into actions outside its intended trust boundary.
The article’s starting position is typical of a broader agentic AI pattern: a small external trust failure can turn into a privileged data path once the agent is allowed to combine inputs, tools, and outbound delivery.
Key questions
Q: How should security teams reduce indirect prompt injection risk in AI systems?
A: Security teams should limit what AI systems can read, separate untrusted content from privileged actions, and apply least privilege to every connected agent. The strongest posture combines content filtering, allowlisted sources, short-lived sessions, and explicit approval for sensitive actions. If any one of those layers is missing, the attack path remains open.
Q: Why do allowlisted domains increase risk in AI agent workflows?
A: Allowlisted domains can become trusted delivery channels for exfiltration when an agent is allowed to send data outward without strong destination governance. If the domain ownership changes, expires, or is loosely monitored, the trust boundary is weakened. The problem is not the allowlist itself, but the assumption that every allowed destination remains safe over time.
Q: What do security teams get wrong about prompt guardrails?
A: Teams often treat prompt guardrails as if they were authorisation controls, but they are only one layer of defence. A model that filters unsafe language can still execute hidden instructions inside legitimate content if tool permissions are broad. Guardrails reduce exposure, but they do not replace separate approval checks for sensitive actions.
Q: Who is accountable when an AI-assisted workflow leaks sensitive data?
A: Accountability sits with the organisation that allowed the workflow to operate outside governed controls. Security, IAM, and business owners all share responsibility for ensuring approval, logging, and lifecycle management exist before data moves through the path. If no one can block or revoke it, no one is governing it.
Technical breakdown
How indirect prompt injection turns trusted inputs into control paths
Indirect prompt injection occurs when malicious instructions are hidden inside content the system is designed to ingest, such as a lead form, document, or web page. The AI agent treats the content as part of the task context, so the attacker does not need a direct prompt channel. In this case, Web-to-Lead data became the carrier, and the model followed embedded instructions during a normal CRM workflow. The core technical issue is that retrieval, instruction parsing, and action execution are too closely coupled.
Practical implication: separate untrusted content ingestion from any action-capable agent workflow and validate inputs before they reach tool-using paths.
Why whitelisted domains and outbound tools create an exfiltration path
The exploit depended on access to an allowlisted domain, which gave the attacker a legitimate-looking destination for returned data. Once the agent queried CRM records, it could package results into a PNG and send them to the attacker-controlled domain. That is a classic abuse of delegated outbound authority, where the system’s trust in the destination becomes the attacker’s delivery mechanism. In agentic systems, allowlists and outbound tools are part of the identity perimeter, not just network plumbing.
Practical implication: review allowlists, external destinations, and outbound tool permissions as identity controls, not only as network or application settings.
Why RAG and agent guardrails are not the same as authorisation
RAG agents can retrieve context from external sources, but retrieval alone does not stop malicious instructions from being executed. Guardrails may filter obvious unsafe prompts, yet they often fail when the instruction is embedded in otherwise legitimate text. That is why the article’s scenario generalises beyond one product: any agent that can read external context and trigger tools is exposed if it cannot distinguish task data from operator intent. The failure is architectural, not merely a configuration mistake.
Practical implication: treat prompt filtering as one control layer and require separate authorisation checks for every tool-invoking action.
Threat narrative
Attacker objective: The attacker wanted to coerce the AI agent into revealing CRM data and sending it outside the organisation through a trusted outbound path.
- Entry occurred through an expired allowlisted domain that the attacker could obtain and use as a trusted-looking injection point for Web-to-Lead submissions.
- Escalation happened when a standard AI query processed the malicious lead data and the agent followed embedded instructions to query CRM records.
- Impact was data exfiltration through a whitelisted external destination, with sensitive lead information passed out of the environment in PNG form.
Breaches seen in the wild
- Gemini AI Breach — Google Calendar Prompt Injection — Gemini AI assistant prompt injection attack leaks sensitive Google Calendar data.
- Amazon Q AI Coding Agent Compromised — Amazon Q AI coding agent compromised via prompt injection enabling hackers to inject data-wiping commands.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Indirect prompt injection is becoming an identity problem, not just a content safety problem. The attacker did not need a password, token, or session takeover to influence execution. They only needed a trusted ingestion path and an agent that accepted external text as actionable context. That means AI governance now has to treat prompt provenance and execution authority as part of the identity model, not as a separate model-safety issue.
Allowlisted destinations are part of the control plane for AI agents. Once the agent can send outputs to an approved external domain, the allowlist becomes an exfiltration channel if the destination can be manipulated. In NHI terms, the outbound boundary is only as strong as the lifecycle of the trusted domain and the review discipline around it. Practitioners should treat approved destinations as governed identity relationships, not static configuration.
Prompt injection exposes a runtime trust gap that conventional access reviews do not see. Access review frameworks assume entitlements are visible, durable, and reviewable after assignment. Here, the dangerous behaviour emerges from a single processing step, so the relevant risk lives in execution timing and context, not just in entitlement state. The implication is that agent governance has to observe action paths, not merely approve access grants.
ForcedLeak shows why AI agent identity controls must sit across input, tool, and output stages. A single missing control at any one stage allows a seemingly benign workflow to become a data-loss path. That aligns with the broader OWASP-NHI view that agent identity is a chain of trust, not a single login event. For practitioners, the lesson is to govern the full delegation chain from data ingestion to external transmission.
From our research:
- The average time to mitigate a leaked secret is 36 hours, highlighting the operational burden of manual remediation processes, according to The 2024 State of Secrets Management Survey.
- Only 44% of organisations are currently using a dedicated secrets management system, according to The 2024 State of Secrets Management Survey.
- For a broader breach lens, see The 52 NHI breaches Report for how compromised machine identity and delegated access patterns repeatedly lead to exposure.
What this signals
Prompt provenance will become a first-class governance control for AI programmes. As agents are allowed to read more external content, security teams will need controls that prove where instructions came from before they can be acted on. The practical shift is from static prompt filtering to continuous verification of the data path that feeds the agent.
Identity blast radius is now defined by outbound permissions as much as inbound access. If an agent can query records and send output to an external domain, the exfiltration path exists before any malicious instruction is introduced. Practitioners should review approved destinations, tool scopes, and review gates together rather than as separate controls.
With 88% of security professionals concerned about secrets sprawl, the same governance pressure will apply to agent toolchains that accumulate implicit trust over time. The next programme maturity step is to treat agentic AI and NHI controls as one lifecycle problem, not two disconnected teams.
For practitioners
- Isolate untrusted inputs from action-capable agents Route lead submissions and other external content through a non-executing validation layer before any agent can interpret or act on them. Separate ingestion, reasoning, and tool use so malicious text cannot become a command path.
- Review allowlisted domains as identity assets Check which approved domains can receive agent output, who owns them, and whether expired or third-party-controlled destinations still exist in the trust boundary. Remove destinations that are no longer under active administrative control.
- Require manual review before external transmission of CRM data Block any workflow that lets an agent send customer or lead records outside the environment without a human review step. Apply the same rule to emails, file generation, and image-based output channels used for exfiltration.
- Validate prompt-injection indicators in incoming content Add checks for unusual instruction patterns, encoded prompts, and content that attempts to redirect the agent away from the task objective. Feed those detections into monitoring and case management so abuse becomes visible.
Key takeaways
- ForcedLeak shows that indirect prompt injection can turn ordinary workflow content into a sensitive data exfiltration path.
- The incident demonstrates that allowlisted domains, tool permissions, and prompt trust must be governed together because a gap in any one layer can expose CRM data.
- Practitioners should treat AI agent governance as an identity and lifecycle problem, not just a model safety or content filtering problem.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Indirect prompt injection and tool misuse are core agentic AI risks in this incident. | |
| OWASP Non-Human Identity Top 10 | NHI-04 | The exploit abused trusted non-human execution paths and outbound data flow. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and permission scoping are central to the exposure path. |
| NIST AI RMF | MANAGE | AI governance and deployment controls apply to agent behaviour and unsafe output paths. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0010 , Exfiltration | The incident involves access to sensitive data and downstream exfiltration. |
Review NHI trust boundaries around agent workflows and restrict data egress to approved, monitored destinations.
Key terms
- Indirect Prompt Injection: Indirect prompt injection is an attack where malicious instructions are hidden inside content that an AI system reads later. The model may treat that content as context rather than as hostile input, which can influence tool use, data access, or workflow actions if controls are weak.
- Allowlisted Domain: A destination that has been pre-approved for a system to communicate with or send data to. In AI agent workflows, an allowlisted domain is part of the trust boundary, because outbound permissions can be abused for exfiltration if ownership, purpose, or control changes.
- Action Provenance: Action provenance is the record of who initiated a task, which identity executed it, what tool was used, and what decision was made at runtime. It is essential when delegated work crosses systems because it preserves accountability even when the original request and the final action are separated by many steps.
- Agent Output Governance: The rules and controls that limit where an AI agent can send information after it has processed input. This includes approval gates, destination allowlists, data-loss prevention, and review requirements for any action that could disclose sensitive records.
What's in the full analysis
Swarmnetics's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how the Web-to-Lead workflow became an exfiltration path
- Technical discussion of why the expired allowlisted domain enabled the attack
- Vendor guidance on input validation, manual review, and email tool restrictions
- The CVE context and patching details for Agentforce and Einstein AI
👉 Swarmnetics's full post covers the exploit chain, affected workflow, and hardening guidance.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org