Six Months, Six CVEs: The Agentic Pattern That ForcedLeak Started and Why Patches Won't End It
In April, VentureBeat ran a headline that should have stopped more people in their tracks than it did: "Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway."
That headline could have been written about Salesforce too. Noma Labs disclosed ForcedLeak in September 2025. Salesforce patched it. Capsule Security disclosed PipeLeak in April 2026 - same injection point, different exfiltration channel, same data leaving the same way. The patch closed a door. The architecture left every other door open.
If you only read the vendor advisories, this looks like two unrelated incidents at two different companies. If you read the security research from the last six months as a single document, it looks like something else entirely: the same vulnerability appearing in every major agentic platform, in roughly the same shape, faster than anyone is patching it.
This post is about that pattern, why it exists, and what "patched" should actually mean for this class of vulnerability.
The six (so far)
The pattern is easier to see when you put the incidents in order. Six months, six distinct disclosures, six different vendors.
ForcedLeak. Noma Labs, disclosed September 25, 2025. CVSS 9.4. Salesforce Agentforce. The injection point was the Description field on a Web-to-Lead form (42,000 characters of attacker-controlled text). The exfiltration path was a URL callout to a domain that the attacker registered for $5 because Salesforce's Trusted URLs allowlist had a stale entry on it. The agent processed the poisoned lead during a sales rep's routine summary request and dutifully sent CRM data to the attacker's domain.
CVE-2026-21520 (ShareLeak). Capsule Security, patched January 15, 2026. Microsoft Copilot Studio. Indirect prompt injection through SharePoint form submissions. The agent had access to enterprise data, ingested attacker-controlled form content, and used its authorized tools to exfiltrate. Microsoft patched the specific scenario. The architecture didn't move.
PipeLeak. Capsule Security, disclosed April 2026. Salesforce Agentforce. Same Web-to-Lead injection point as ForcedLeak. This time the exfiltration channel was the agent's authorized email actions instead of URL callouts. The ForcedLeak patch did not protect against it because the patch closed a channel, not a class. Salesforce told VentureBeat after publication that human-in-the-loop is now default for email-based agentic actions; Capsule maintains the email channel remains exploitable on Custom Topics (now called Sub-Agents), which represent the majority of enterprise deployments.
GeminiJack. Google Gemini. Indirect prompt injection in the same architectural class, now part of the standard list of examples in industry pattern analyses.
CrewAI: CVE-2026-2275 and CVE-2026-2285. Open-source multi-agent orchestration framework. Four vulnerabilities, all triggerable through prompt injection. CVE-2026-2275 at CVSS 9.6 exploits an insecure sandbox fallback. CVE-2026-2285 enables arbitrary file reads through missing path validation. The injection is the trigger; the consequences extend to RCE and filesystem access.
RSAC 2026 demos. Zenity CTO Michael Bargury, April 2026. Zero-click prompt injection attacks demonstrated live across Cursor, Microsoft Copilot, Google Gemini, Salesforce Agentforce, ChatGPT, and Perplexity Comet. In one chain, a malicious email is auto-processed into a Jira ticket, which Cursor ingests and executes - achieving secret exfiltration and RCE without any user interaction. Six vendors. One conference session. No common code base between them.
Six incidents. Six vendors. Six months. The pattern is not that Salesforce has a problem, or that Microsoft has a problem. The pattern is that every vendor building useful agents has the same problem, and they have it for the same reason.
The pattern has a name
Simon Willison named it the "lethal trifecta" in June 2025. The framing is simple, and once you see it, you cannot unsee it. An agent is dangerous when it has all three of:
- Access to private or sensitive data
- Exposure to untrusted content
- The ability to communicate externally
Walk through the six incidents. ForcedLeak: CRM data (1), Web-to-Lead form submissions (2), URL callouts (3). PipeLeak: same data, same untrusted content, email instead of URLs (3). ShareLeak: SharePoint data (1), SharePoint forms (2), authorized agent tools (3). The RSAC chain on Cursor: codebase secrets (1), Jira tickets ingesting email (2), shell access (3). CrewAI: file system access (1), prompt-driven task assignment (2), Docker fallback escape (3).
Every one of them hits all three.
This is not a coincidence. It is the definition of a useful agent. An agent that does not have access to your data is not useful. An agent that cannot ingest external content cannot summarize emails, process leads, read tickets, or do most of the things you bought it to do. An agent that cannot communicate externally cannot send the report, file the ticket, or call the API.
The trifecta isn't a Salesforce bug. It isn't a Microsoft bug. It is the agent specification. Every vendor in the space is racing to ship agents that satisfy all three conditions because that's the product. The vulnerability is structural to the category, not to any one implementation.
Why patches close channels, not classes
This is the part the vendor advisories never quite say.
A patch like Salesforce's Trusted URLs enforcement closes one specific path: the agent can no longer make outbound HTTP requests to domains that aren't on a list. That's good. It's also narrow. The agent still has access to private data (condition 1). It still ingests untrusted content (condition 2). It still has other tools that can communicate externally (condition 3) - email, in PipeLeak's case. Closing one channel of condition 3 does not eliminate condition 3. It just shifts the next exploit to the next channel.
The same pattern is visible on the Microsoft side. CVE-2026-21520 was patched in January. Three months later, researchers demonstrated that data still exfiltrated through a different mechanism. Waxell's analysis of that incident put the structural point plainly: AI safety filters aren't kill switches. Filters tell the model what not to do. Kill switches prevent the action regardless of what the model was told.
The benchmark research backs this up. The InjecAgent benchmark from the Findings of ACL 2024 found that ReAct-prompted GPT-4 was vulnerable to indirect prompt injection at a baseline rate of 24%, and enhanced attacks nearly doubled that to 47%. The AgentDojo benchmark, used by both the US and UK AI Safety Institutes, found that defenses that reduce attack success rates also significantly degrade model utility. The security-utility tradeoff is structural, not a tuning problem. The defenses that work make the agents useless. The defenses that preserve utility leave the attack surface open.
This is what it means to say the bug is in the class, not the channel. Vendors can keep patching channels for years and the vulnerability rate will not approach zero, because the conditions that produce the vulnerability are the same conditions that make the product valuable.
What "patched" should mean
If channel patches are insufficient, what would sufficient look like? Three categories of control, in increasing order of how much they actually change.
Channel patches. What vendors do today. Trusted URLs enforcement, human-in-the-loop on email, sandbox hardening, prompt defense templates. These are necessary. They raise the cost of attack. They do not, and cannot, eliminate the class.
Trifecta breaking. Split agents so that any single agent has at most two of the three lethal conditions. An agent that can read external content and access private data, but cannot communicate externally, is structurally safer than one that can do all three. An agent that can communicate externally and access private data, but only operates on trusted internal content, is structurally safer. This is design discipline, not vendor patching, and it falls almost entirely on the customer. Salesforce's secure data retrieval bounds the first leg. Trusted URLs enforcement partially bounds the third. Nobody - vendor or customer - is yet treating the trifecta as the design constraint.
Governance-plane controls. Pre-execution enforcement that intercepts agent actions before they execute, independent of what the model was instructed to do. Kill switches that the model cannot override because the model never sees them. Purpose binding that restricts each agent's actions to a declared scope. Network isolation that prevents agents from reaching destinations outside their intended scope, regardless of what they've been told to do. From Kiteworks' 2026 Data Security, Compliance & Risk Forecast: 55% to 63% of surveyed organizations lack purpose binding, kill switches, or network isolation for their AI agents. The same survey found 41% to 44% have not implemented basic human-in-the-loop oversight.
The third category is what "patched" should mean for this class of vulnerability, and it is the category almost nobody has implemented.
What this means for your Agentforce deployment
The Salesforce-specific implications come down to three things.
Inventory your trifecta exposure. For every Agentforce agent and topic in your org, document which legs of the trifecta apply. Most production deployments hit all three by default. The Salesforce defaults are designed for capability, not for least privilege. Sub-Agents (formerly Custom Topics) frequently have authorized email actions, web search, external API callouts, and CRM read access bundled together because that's what makes them useful. Document it. The act of writing down which agents have all three legs makes the architectural risk visible in a way that vendor advisories never will.
Build the next-disclosure playbook now. Treat the next ForcedLeak-class disclosure as a when, not a whether. The pattern from the last six months says another one is coming, probably from a researcher group that has not disclosed yet, probably affecting a tool you're already using. Decide now: who reviews the advisory when it drops, who has authority to disable affected topics, who communicates to internal stakeholders, what your customer-facing message is if any data was exposed. Decide it before you need it.
Stop treating "the agent is patched" as a security state. Start treating "the agent has the trifecta" as the security state. A patched agent with all three legs of the trifecta is more vulnerable than an unpatched agent that has had one leg structurally removed. The question to ask of every Agentforce deployment is not "have we applied the latest patches" but "what would this agent do if the next data source it reads contains attacker-authored instructions, and what's the worst outcome possible given the tools it currently has access to."
The primer for this post argued that the Einstein Trust Layer is the floor, not the ceiling. Six months of research has added a corollary: the ceiling is built by removing trifecta legs, not by waiting for the next patch.
The compliance shadow
Worth noting briefly, because it changes the timeline.
The EU AI Act high-risk system requirements come into force August 2026. Documented injection resistance is going to become a procurement and audit requirement for any AI system that falls into the high-risk category, which includes most enterprise agent deployments touching customer data, employment decisions, or financial services. Vendors who frame their controls in terms of channel-by-channel patches will struggle to produce the documentation. Vendors who frame their controls in terms of architectural class-level defenses will have a substantially easier time. Customers procuring these systems should be asking, this quarter, which side of that line their vendors fall on.
That's a separate post. The short version: the regulatory clock is moving faster than the patching cadence, and the gap is going to matter.
The shape of the next twelve months
The first six CVEs are out. The architecture hasn't changed. The next six will be along shortly, and they will look almost exactly like the first six: different vendor, different injection point, different exfiltration channel, same lethal trifecta sitting underneath.
The orgs that come through this in one piece will be the ones that treat agentic AI as a class-level architectural problem and not a configuration problem. They will be the ones that inventoried their trifecta exposure before the next disclosure dropped. They will be the ones whose agents had one leg removed by design, not by patch.
Plan for the class. Not the bug.