Capsule Security — ShareLeak and PipeLeak prompt injection in Copilot Studio and Agentforce

Capsule Security — ShareLeak and PipeLeak Prompt Injection in Copilot Studio and Agentforce

AI relevance: Capsule Security discovered two indirect prompt injection vulnerabilities — ShareLeak in Microsoft Copilot Studio (CVE-2026-21520, CVSS 7.5) and PipeLeak in Salesforce Agentforce — both exploitable through public-facing form submissions that hijack AI agent behavior and exfiltrate enterprise data via legitimate tool actions.

• ShareLeak (CVE-2026-21520): An indirect prompt injection in Microsoft Copilot Studio where an attacker crafts a malicious payload in a public SharePoint comment field, which Copilot Studio concatenates directly with the agent's system instructions without input sanitization
• The injected payload overrides the agent's original instructions, directing it to query connected SharePoint Lists for customer data and send results via Outlook to an attacker-controlled email
• Microsoft's own data loss prevention (DLP) mechanisms flagged the request as suspicious during Capsule's testing — but the exfiltration succeeded anyway because the email was routed through a legitimate Outlook action the system treated as authorized
• NVD classifies the attack as low complexity with no privileges required
• Microsoft patched on January 15, 2026, but public disclosure only went live this week — every security director running Copilot Studio agents triggered by SharePoint forms should audit that window for indicators of compromise
• PipeLeak: A parallel indirect prompt injection in Salesforce Agentforce, triggered through unauthenticated public lead-form submissions that hijack agent behavior to exfiltrate CRM data with no volume cap and no indication to the triggering employee
• Salesforce has not assigned a CVE or issued a public advisory for PipeLeak as of publication
• PipeLeak survives Salesforce's previous ForcedLeak patch (CVE-2025, CVSS 9.4, patched September 2025 by enforcing Trusted URL allowlists) through a different channel: email-based form submissions rather than web URLs
• Capsule Security simultaneously launched with $7M in funding for an AI agent runtime control platform, demonstrating both vulnerabilities as proof of the gap between patching and runtime enforcement

Why It Matters

Microsoft's decision to assign a CVE to a prompt injection vulnerability in an agentic platform is highly unusual — only the second time Microsoft has done so for prompt injection, after CVE-2025-32711 (EchoLeak in M365 Copilot). If this precedent extends to agentic systems broadly, every enterprise running AI agents inherits a new vulnerability class to track. More critically, these vulnerabilities expose the fundamental architectural gap: LLMs cannot inherently distinguish between trusted instructions and untrusted retrieved data, becoming confused deputies acting on behalf of attackers (classified by OWASP as ASI01: Agent Goal Hijack). Patching alone cannot eliminate this class of vulnerability because the root cause is the model's inability to separate trusted from untrusted context.

What To Do

• Audit Copilot Studio agents — identify any agents triggered by SharePoint forms, public surveys, or external data sources that feed directly into the agent context window
• Verify patch level — ensure Copilot Studio is updated past the January 15, 2026 patch; review activity logs from November 24, 2025 through January 15 for anomalous data access patterns
• Implement runtime controls — deploy agent firewalls or runtime monitoring that validate agent behavior against expected patterns, independent of model-level safety filters
• Restrict agent tool permissions — apply least-privilege access to agent-connected services (SharePoint, Outlook, CRM); agents should not have broad read access to customer data unless explicitly required
• Segment agent data sources — sanitize and classify all inputs that flow into agent context windows; treat user-generated content from public forms as adversarial
• Monitor Salesforce Agentforce — until Salesforce issues an advisory for PipeLeak, audit Agentforce agents triggered by public lead forms for unexpected outbound data transfers

Sources:

• VentureBeat — Microsoft Patched a Copilot Studio Prompt Injection. The Data Exfiltrated Anyway
• CSO Online — Copilot and Agentforce Fall to Form-Based Prompt Injection Tricks
• SiliconANGLE — Capsule Security Launches with $7M to Secure AI Agents at Runtime
• NVD — CVE-2026-21520