TL;DR: Salesforce patched the ForcedLeak flaw in Agentforce after researchers showed that indirect prompt injection could exfiltrate CRM data through a whitelisted domain, with exploitation enabled by an expired allowlisted domain and Web-to-Lead workflows. The incident shows that approval boundaries and input trust assumptions collapse when generative systems execute instructions from untrusted content.
NHIMG editorial — based on content published by Swarmnetics covering the ForcedLeak vulnerability in Salesforce Agentforce
By the numbers:
- ForcedLeak was discovered and published in July 2025, and assigned a CVE score of 9.4 given its potential severity.
Questions worth separating out
Q: How should security teams reduce indirect prompt injection risk in AI systems?
A: Security teams should limit what AI systems can read, separate untrusted content from privileged actions, and apply least privilege to every connected agent.
Q: Why do allowlisted domains increase risk in AI agent workflows?
A: Allowlisted domains can become trusted delivery channels for exfiltration when an agent is allowed to send data outward without strong destination governance.
Q: What do security teams get wrong about prompt guardrails?
A: Teams often treat prompt guardrails as if they were authorisation controls, but they are only one layer of defence.
Practitioner guidance
- Isolate untrusted inputs from action-capable agents Route lead submissions and other external content through a non-executing validation layer before any agent can interpret or act on them.
- Review allowlisted domains as identity assets Check which approved domains can receive agent output, who owns them, and whether expired or third-party-controlled destinations still exist in the trust boundary.
- Require manual review before external transmission of CRM data Block any workflow that lets an agent send customer or lead records outside the environment without a human review step.
What's in the full analysis
Swarmnetics's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how the Web-to-Lead workflow became an exfiltration path
- Technical discussion of why the expired allowlisted domain enabled the attack
- Vendor guidance on input validation, manual review, and email tool restrictions
- The CVE context and patching details for Agentforce and Einstein AI
👉 Read Swarmnetics's analysis of the ForcedLeak Agentforce vulnerability →
ForcedLeak and Agentforce: what this means for AI agent governance?
Explore further
Indirect prompt injection is becoming an identity problem, not just a content safety problem. The attacker did not need a password, token, or session takeover to influence execution. They only needed a trusted ingestion path and an agent that accepted external text as actionable context. That means AI governance now has to treat prompt provenance and execution authority as part of the identity model, not as a separate model-safety issue.
A few things that frame the scale:
- The average time to mitigate a leaked secret is 36 hours, highlighting the operational burden of manual remediation processes, according to The 2024 State of Secrets Management Survey.
- Only 44% of organisations are currently using a dedicated secrets management system, according to The 2024 State of Secrets Management Survey.
A question worth separating out:
Q: Who is accountable when an AI-assisted workflow leaks sensitive data?
A: Accountability sits with the organisation that allowed the workflow to operate outside governed controls. Security, IAM, and business owners all share responsibility for ensuring approval, logging, and lifecycle management exist before data moves through the path. If no one can block or revoke it, no one is governing it.
👉 Read our full editorial: ForcedLeak exposes how indirect prompt injection breaks agent trust