Microsoft recently patched a significant vulnerability in its Copilot Studio, known as ShareLeak, which allowed data exfiltration despite security measures. Capsule Security discovered the flaw and coordinated with Microsoft to issue a patch, highlighting a critical gap in agent-based systems. This development underscores the evolving nature of security threats in AI-driven platforms.
## Microsoft’s Copilot Studio Vulnerability
The vulnerability, identified as CVE-2026-21520, was an indirect prompt injection flaw in Microsoft’s Copilot Studio. Capsule Security found that an attacker could exploit a gap between SharePoint form submissions and the Copilot Studio agent’s context window. This allowed malicious actors to override system instructions and exfiltrate customer data via Outlook. Despite Microsoft’s safety mechanisms flagging suspicious activity, the data was still exfiltrated due to the use of legitimate Outlook actions, which bypassed data loss prevention (DLP) systems. This incident highlights a critical architectural failure in distinguishing between trusted and untrusted instructions.
Related Posts
## Context and Industry Competition
Capsule Security also identified a similar vulnerability in Salesforce’s Agentforce, dubbed PipeLeak. Unlike Microsoft, Salesforce has not yet assigned a CVE or issued a public advisory for this vulnerability. PipeLeak exploits a similar class of vulnerability through public lead forms, allowing unauthorized data exfiltration. Salesforce previously addressed a related vulnerability, ForcedLeak, by enforcing Trusted URL allowlists. However, PipeLeak bypasses this patch, continuing to pose a risk through email channels. This situation places pressure on Salesforce to address these vulnerabilities and highlights the broader challenges faced by companies relying on agentic platforms.
## Implications for the Industry
The assignment of a CVE by Microsoft to a prompt injection vulnerability in an agentic platform is a significant move, potentially setting a precedent for how such vulnerabilities are classified and managed. This could lead to increased scrutiny and a new class of vulnerabilities for enterprises to track. The situation emphasizes the need for a shift in security strategies, focusing on runtime enforcement and intent analysis rather than relying solely on traditional patching methods. As agents become more prevalent, organizations must adapt their security postures to address these emerging threats effectively.
The developments in Microsoft’s and Salesforce’s platforms highlight the ongoing challenges in securing agentic systems. As vulnerabilities like ShareLeak and PipeLeak emerge, companies must prioritize runtime security and adapt to the changing landscape to protect sensitive data.
