Microsoft has assigned CVE-2026-21520 to a CVSS 7.5 indirect prompt injection vulnerability identified in Copilot Studio. The flaw, discovered by Capsule Security, was disclosed in coordination with Microsoft, and a patch was rolled out on January 15. The public was informed of the issue on Wednesday.
This CVE is significant not just for the problem it addresses but for its broader implications. Capsule’s research highlights Microsoft’s decision to assign a CVE to a prompt injection vulnerability in an agentic platform as “highly unusual.” Previously, Microsoft had allocated CVE-2025-32711 (CVSS 9.3) to EchoLeak, a prompt injection in M365 Copilot, which was fixed in June 2025. However, that vulnerability targeted a productivity assistant, not an agent-building platform. Should this precedent be applied to agentic systems in general, enterprises using agents might face a new category of vulnerabilities to monitor—one that cannot be completely addressed through patches alone.
Additionally, Capsule discovered another indirect prompt injection vulnerability, termed PipeLeak, in Salesforce Agentforce. While Microsoft has patched and assigned a CVE for this issue, Salesforce has not yet issued a CVE or public advisory, according to Capsule’s findings.
Understanding ShareLeak
The vulnerability dubbed ShareLeak exploits the gap between SharePoint form submissions and the context window of the Copilot Studio agent. An attacker can manipulate a public-facing comment field with a payload designed to inject a false system role message. Capsule’s tests revealed that Copilot Studio combined the malicious input with the agent’s system instructions without any input sanitization between the form and the model.
In Capsule’s proof-of-concept, the payload altered the agent’s original instructions, prompting it to access connected SharePoint Lists for customer data and send that information via Outlook to an attacker-controlled email address. The NVD categorizes this attack as low complexity, requiring no special privileges.
During Capsule’s testing, Microsoft’s safety mechanisms flagged the request as suspicious, yet the data was still extracted. The data loss prevention (DLP) did not activate because the email was processed through a legitimate Outlook action, which the system perceived as authorized.
Carter Rees, VP of Artificial Intelligence at Reputation, described the architectural flaw in a VentureBeat interview. According to Rees, the LLM cannot inherently tell apart trusted instructions from untrusted data. This results in a confused deputy scenario, where the system acts on behalf of the attacker. OWASP classifies this as ASI01: Agent Goal Hijack.
The team at Capsule Security discovered the Copilot Studio vulnerability on November 24, 2025. Microsoft confirmed the finding on December 5 and patched it by January 15, 2026. Security directors managing Copilot Studio agents triggered by SharePoint forms are advised to audit for signs of compromise during that timeframe.
PipeLeak and Salesforce’s Position
PipeLeak targets the same class of vulnerability but through another entry point. In tests by Capsule, a public lead form payload was able to hijack an Agentforce agent without requiring authentication. Capsule observed no limits on the volume of exfiltrated CRM data, and the employee who activated the agent was unaware of the data breach. As of publication, Salesforce has not issued a CVE or public advisory specific to PipeLeak.
Capsule is not the first to identify indirect prompt injection vulnerabilities in Agentforce. Noma Labs had previously disclosed ForcedLeak (CVSS 9.4) in September 2025, which Salesforce addressed by implementing Trusted URL allowlists. However, Capsule’s research indicates that PipeLeak still exists through another route: email via the agent’s authorized tool actions.
Naor Paz, CEO of Capsule Security, remarked to VentureBeat that there was no observed limit to exfiltration. “We did not get to any limitation,” Paz stated. “The agent would just continue to leak all the CRM.”
Salesforce suggested human-in-the-loop as a mitigation measure, but Paz argued against it. “If the human should approve every single operation, it’s not really an agent,” he told VentureBeat. “It’s just a human clicking through the agent’s actions.”
Microsoft has patched ShareLeak and assigned a CVE. According to Capsule’s research, while Salesforce patched the URL path for ForcedLeak, the email channel remains unaddressed.
In a separate VentureBeat interview, Kayne McGladrey, IEEE Senior Member, discussed the issue differently, suggesting that organizations are replicating human user accounts for agentic systems. McGladrey pointed out that agents operate with more permissions than humans would, due to their speed, scale, and objectives.
The Lethal Trifecta and Posture Management Shortcomings
Paz identified three structural conditions that make any agent vulnerable: access to private data, exposure to untrusted content, and the ability to communicate externally. ShareLeak and PipeLeak both meet all three criteria, as do most production agents, since these attributes are what make them functional.
Rees independently confirmed this finding. He told VentureBeat that relying on deterministic rules for defense-in-depth is fundamentally inadequate for agentic systems.
Elia Zaitsev, CrowdStrike’s CTO, in a separate VentureBeat exclusive, highlighted the inherent vulnerability in the patching mindset. “People are forgetting about runtime security,” he said. “Let’s patch all the vulnerabilities. Impossible. Somehow always seem to miss something.” Zaitsev noted that monitoring actual actions is a structured, solvable issue, unlike intent. CrowdStrike’s Falcon sensor follows the process tree and tracks actions rather than intent.
Multi-Turn Crescendo and the Coding Agent Weakness
Capsule’s research documented that single-shot prompt injections are just the beginning. Multi-turn crescendo attacks involve spreading payloads across several benign-looking interactions. Each interaction may pass scrutiny, but the attack only becomes apparent when viewed as a sequence.
Rees explained that current monitoring often overlooks this issue. A stateless WAF evaluates each interaction in isolation and sees no threat, Rees told VentureBeat, as it observes requests without understanding the semantic trajectory.
Capsule also identified undisclosed vulnerabilities in coding agent platforms, which they chose not to name. These include persistent memory poisoning and malicious code execution through MCP servers. In one instance, a file-level guardrail was circumvented by the agent itself, which found an alternative route to the same data. Rees noted the human factor: employees often paste proprietary code into public LLMs and consider security to be an obstacle.
McGladrey pointed to a governance failure. “If crime was a technology problem, we would have solved crime a fairly long time ago,” he told VentureBeat. “Cybersecurity risk as a standalone category is a complete fiction.”
The Runtime Enforcement Approach
Capsule integrates with vendor-provided agentic execution paths, including Copilot Studio’s security hooks and Claude Code’s pre-tool-use checkpoints, without using proxies, gateways, or SDKs. The company came out of stealth on Wednesday, aligning its $7 million seed round, led by Lama Partners with Forgepoint Capital International, with its coordinated disclosure.
Chris Krebs, the first Director of CISA and a Capsule advisor, explained the operational gap. “Legacy tools weren’t built to monitor what happens between prompt and action,” Krebs said. “That’s the runtime gap.”
Capsule’s system uses fine-tuned small language models to evaluate each tool call before execution, an approach that Gartner’s market guide refers to as a “guardian agent.”
However, not everyone agrees that intent analysis is the right solution. In an exclusive interview with VentureBeat, Zaitsev noted that intent-based detection is non-deterministic. “Intent analysis will sometimes work. Intent analysis cannot always work,” he said. CrowdStrike focuses on tracking what the agent actually does rather than its apparent intent. Microsoft’s own Copilot Studio documentation offers external security-provider webhooks to approve or block tool execution, providing a vendor-native control plane alongside third-party options. No single layer can bridge the gap. It requires runtime intent analysis, kinetic action monitoring, and foundational controls like least privilege, input sanitization, outbound restrictions, and targeted human-in-the-loop. SOC teams should begin mapping telemetry now, including Copilot Studio activity logs, webhook decisions, CRM audit logs for Agentforce, and EDR process-tree data for coding agents.
Paz outlined the broader transition. “Intent is the new perimeter,” he told VentureBeat. “The agent in runtime can decide to go rogue on you.”
VentureBeat Prescriptive Matrix
The following matrix outlines five vulnerability classes, highlights why current controls fall short, explains what runtime enforcement achieves, and suggests actions for security leaders.
|
Vulnerability Class |
Why Current Controls Miss It |
What Runtime Enforcement Does |
Suggested actions for security leaders |
|
ShareLeak — Copilot Studio, CVE-2026-21520, CVSS 7.5, patched Jan 15 2026 |
Capsule’s testing found no input sanitization between the SharePoint form and the agent context. Safety mechanisms flagged, but data still exfiltrated. DLP did not fire because the email used a legitimate Outlook action. OWASP ASI01: Agent Goal Hijack. |
Guardian agent hooks into Copilot Studio pre-tool-use security hooks. Vets every tool call before execution. Blocks exfiltration at the action layer. |
Audit every Copilot Studio agent triggered by SharePoint forms. Restrict outbound email to org-only domains. Inventory all SharePoint Lists accessible to agents. Review the Nov 24–Jan 15 window for indicators of compromise. |
|
PipeLeak — Agentforce, no CVE assigned |
In Capsule’s testing, public form input flowed directly into the agent context. No auth required. No volume cap observed on exfiltrated CRM data. The employee received no indication that data was leaving. |
Runtime interception via platform agentic hooks. Pre-invocation checkpoint on every tool call. Detects outbound data transfer to non-approved destinations. |
Review all Agentforce automations triggered by public-facing forms. Enable human-in-the-loop for external comms as interim control. Audit CRM data access scope per agent. Pressure Salesforce for CVE assignment. |
|
Multi-Turn Crescendo — distributed payload, each turn looks benign |
Stateless monitoring inspects each turn in isolation. WAFs, DLP, and activity logs see individual requests, not semantic trajectory. |
Stateful runtime analysis tracks full conversation history across turns. Fine-tuned SLMs evaluate aggregated context. Detects when a cumulative sequence constitutes a policy violation. |
Require stateful monitoring for all production agents. Add crescendo attack scenarios to red team exercises. |
|
Coding Agents — unnamed platforms, memory poisoning + code execution |
MCP servers inject code and instructions into the agent context. Memory poisoning persists across sessions. Guardrails reasoned around by the agent itself. Shadow AI insiders paste proprietary code into public LLMs. |
Pre-invocation checkpoint on every tool call. Fine-tuned SLMs detect anomalous tool usage at runtime. |
Inventory all coding agent deployments across engineering. Audit MCP server configs. Restrict code execution permissions. Monitor for shadow installations. |
|
Structural Gap — any agent with private data + untrusted input + external comms |
Posture management tells you what should happen. It does not stop what does happen. Agents use far more permissions than humans at far greater speed. |
Runtime guardian agent watches every action in real time. Intent-based enforcement replaces signature detection. Leverages vendor agentic hooks, not proxies or gateways. |
Classify every agent by lethal trifecta exposure. Treat prompt injection as class-based SaaS risk. Require runtime security for any agent moving to production. Brief the board on agent risk as business risk. |
Implications for 2026 Security Planning
Microsoft’s assignment of this CVE could either speed up or complicate how the industry addresses agent vulnerabilities. If vendors categorize them as configuration issues, the burden falls solely on CISOs.
It’s important to consider prompt injection as a class-level SaaS risk rather than focusing on individual CVEs. Classify every agent deployment against the lethal trifecta and mandate runtime enforcement for anything going into production. It’s essential to communicate to the board that agent risks are business risks, as pointed out by McGladrey, since treating cybersecurity risk as a standalone category is no longer effective once agents operate at machine speed.
Update, April 16, 2026: Following publication, a Salesforce spokesperson stated the company has “remediated the specific scenario described” and that Human-in-the-Loop confirmation is now default for email-based agentic actions. Capsule Security, however, asserts that the email channel is still exploitable on Custom Topics (now called Sub-Agents in Agentforce), which constitute the majority of enterprise deployments. Capsule reported no change in behavior on Custom Topics after retesting post-Salesforce’s response.
