Salesforce Agentforce Agent Security Risks

Business Process Agents salesforce.com Fortified Leaders
AI RISK QUADRANT POSITION DEFENSE CONTROLS (7) ATTACK SURFACE (5.62) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3.38
Critical
Attack Surface
5.62
High
Blast Radius
3.38
Medium
Defense Controls
7
Medium
About The Agent

Salesforce Agentforce is a cloud-hosted enterprise AI agent platform operating within the Salesforce multi-tenant Hyperforce architecture. Agents are configured through a declarative builder with topics, instructions, actions, and guardrails. They process CRM data and external inputs through the Atlas Reasoning Engine while delegating tool execution to Salesforce Flows, Apex classes, MCP-connected external servers, and External Services APIs. The platform supports supervisor-specialist orchestration patterns and cross-organization delegation via the Agent-to-Agent protocol.

About the AI Risk Quadrant

Fortified Leaders are agents that combine a moderate-to-high attack surface with defense controls that partially mitigate but do not fully close demonstrated exploitation paths. The blast radius is bounded by the deployment perimeter rather than by the agent's own control mechanisms. In this quadrant the primary residual risk is data egress through channels the agent can reach on its default configuration, where post-incident patches address individual vectors without eliminating the structural exposure pattern.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Agentforce presents elevated risk on external data ingestion and output processing channels while the managed SaaS perimeter contains blast radius to CRM-scoped actions.

Key Input Risks
Web-to-Lead forms, incoming customer emails, and MCP server outputs deliver attacker-controlled text directly into the agent reasoning context without dedicated prompt injection detection. ForcedLeak demonstrated exploitation via a single form submission field processed by the agent on its default configuration [4].
Key Execution Risks
Agent actions execute through Salesforce Flows, Apex classes, and External Services connectors within the platform managed runtime rather than arbitrary shell or code interpreters. No independent adversarial testing of the execution boundary has been published [11].
Key Action Risks
Custom Sub-Agent actions can fire email sends and external API calls without Human-in-the-Loop confirmation unless the operator explicitly configures the HITL toggle per action. The highest-scope default capability is CRM record modification combined with outbound email under the running user's full permission set [10].
Key Output Risks
Trusted URLs Enforcement restricts which domains the agent can reference in rendered output, addressing one demonstrated exfiltration vector. Email-based egress on custom Sub-Agents remained exploitable post-patch per independent testing, leaving an uncontrolled channel for data to reach external recipients [5].
Key Monitoring Risks
The Einstein Trust Layer audit trail captures prompts, responses, and toxicity scores within Data 360. Shield Event Monitoring with SIEM export requires the paid add-on, leaving standard-tier operators without real-time behavioral alerting for agent actions [13].

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Moderate defense partially offsets an elevated attack surface while the managed SaaS boundary constrains blast radius.

AIRQ Metrics

Agentforce lands in Fortified Leaders because demonstrated prompt injection chains exploited external data channels for data egress despite partial defense controls.

Headline scores reflect the interplay between attack surface breadth, blast radius containment, and defense maturity.

Metric Score Comments
AIRQ Score 3.38 Defense coverage partially offsets the attack surface, with blast radius containment pulling the composite lower.
Blast Radius 3.38 / 10 Bounded by the managed SaaS perimeter with no host shell, no file system, and registered-only network egress.
Attack Surface 5.62 / 10 Driven by demonstrated indirect prompt injection through external data and output processing channels [4][5].
Defense Controls 7 / 15 Trust Layer offers data-level protections and full audit logging; gaps persist in prompt injection detection and action gating [9].

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. External data ingestion and output processing carry the highest adjusted scores due to demonstrated exploitation chains, while remaining surfaces stay within the moderate band.

Attack Surface Metrics

Scores above 4 indicate demonstrated exploitation; scores at 2-3 indicate documented capability without public proof of compromise.

Each row combines a base architectural score with evidence-driven penalties where agent-specific exploitation has been documented.

Surface Score Comments
User Input 2 / 4 Multiple validated input channels with Trust Layer data masking and toxicity detection; no dedicated prompt injection classifier on direct user prompts [9][10].
External Data 5 / 4 Web-to-Lead forms, CRM records, and MCP outputs feed into reasoning without content validation; ForcedLeak demonstrated full-chain exploitation [4][13].
Memory 1 / 4 Session-level conversation context only; no cross-session persistent memory or autonomous learning loop within the agent runtime [15].
Reasoning 2 / 4 Atlas Reasoning Engine with visible Plan Canvas; reasoning constrained to declared topic scope but delegates to interchangeable vendor-managed LLMs [9].
Planning 2 / 4 Multi-step planning visible in Plan Canvas with subagent classification; approval configurable per action but not mandatory on custom actions [10].
Tool Execution 2 / 4 Actions execute through Salesforce Flows, Apex, and External Services within the platform permission model; no shell or arbitrary code execution [11].
Orchestration 2 / 4 Supervisor-specialist subagent pattern within user sessions; no background daemon execution or scheduled autonomous runs without Flow triggers [15].
Inter-Agent 3 / 4 MCP Server Registry connects to external tool ecosystems with admin allowlisting; A2A protocol enables cross-org delegation with limited message integrity verification [14].
Output Processing 5 / 4 ForcedLeak demonstrated data exfiltration via image URL embedding; PipeLeak showed email-based egress bypassing Trusted URLs on custom Sub-Agents [4][5].
Configuration 4.5 / 4 CVE-2025-64320 demonstrated code injection through the Vibes Extension config surface; CVE-2025-64322 enabled unauthorized config manipulation [1][3].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. All three conditions are triggered with high confidence, creating the structural prerequisite for indirect prompt injection chains that end in data exfiltration — as demonstrated by both ForcedLeak and PipeLeak.

Lethal Trifecta · Complete (3 of 3)

Salesforce Agentforce exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Web-to-Lead forms accept arbitrary external text stored in CRM; MCP server outputs and customer email content enter the agent reasoning context as first-class data without prompt injection filtering [4][5].
  • Sensitive data — Agents read CRM records containing customer PII, sales pipeline data, and support case details; in maker mode the agent inherits the creator's full permission scope regardless of invoker identity [7][9].
  • External egress — Agents can send emails, call external MCP servers, and invoke External Services APIs; pre-patch image URL exfiltration and post-patch email egress on custom Sub-Agents provide demonstrated channels [4][5].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. The managed SaaS boundary eliminates host-level impact categories while CRM-scoped actions and registered network channels define the containment perimeter.

Blast Radius Metrics

Scores of 0 indicate structurally absent capability; scores of 1-2 indicate presence bounded by platform controls.

Each factor reflects the maximum damage achievable through the agent's documented action capabilities within its deployment context.

Factor Score Comments
Code execution 1 / 4 Actions execute through the managed Salesforce runtime with no shell, no arbitrary code interpreter, and no container escape surface available [11].
File system access 0 / 4 No host file system access; the agent operates entirely within the Salesforce platform data model with no local storage primitives [15].
Network access 2 / 4 Outbound requests restricted to registered MCP servers, External Services endpoints, and Trusted URL allowlist destinations post-patch [13][14].
Credential access 2 / 4 Agents access CRM data under the running user's permission scope; in maker mode the creator's connected app OAuth tokens enable external API calls [7][10].
Autonomous action 2 / 4 HITL required by default on OOTB email actions; custom actions require explicit HITL configuration; PipeLeak exploited this gap on custom Sub-Agents [5][10].
Deployment access 1 / 4 Agents can trigger Salesforce Flows that modify records but cannot deploy code, modify infrastructure, or publish packages to external registries [15].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The Einstein Trust Layer provides data masking and audit trail while the multi-tenant perimeter offers structural isolation, but prompt injection detection and granular action gating remain partial.

Defense Controls Metrics

Scores of 2 indicate documented and independently attested controls; scores of 1 indicate vendor-claimed controls with known bypass paths.

Each component reflects the maturity and demonstrated effectiveness of the control against the agent's documented attack surface.

Component Score Comments
Input Guardrails 1 / 3 PII/PCI data masking, toxicity detection, and topic-based scope limitations are documented; no dedicated ML-based prompt injection detection operates by default [9][12].
Execution Isolation 2 / 3 Multi-tenant Hyperforce with logical org separation and SOC 2 attestation; no shell or file system escape surface available to the agent [11][12].
Action Controls 1 / 3 HITL on OOTB email actions by default with MCP Server Registry admin allowlisting; custom Sub-Agent actions remain configurable without mandatory HITL [5][10].
Output Guardrails 1 / 3 Trusted URLs Enforcement deployed post-ForcedLeak blocks untrusted URL generation; no documented DLP layer beyond Trust Layer data masking [4][13].
Monitoring 2 / 3 Einstein Trust Layer audit trail in Data 360 captures all prompts and responses; Shield Event Monitoring with SIEM integration requires paid add-on [11][18].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators can materially reduce residual risk by closing the three gaps the default configuration leaves open.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all external-sourced data fields (Web-to-Lead, email body, MCP outputs) to pass through input validation rules before agent processing [6].
  • Configuration Enable Trust Layer data masking for all PII categories and configure custom masking rules for organization-specific sensitive field patterns [9].
  • Engineering Deploy a third-party prompt injection detection classifier inline before the Atlas Reasoning Engine processes external-sourced context [8].

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Restrict MCP server registrations to vendor-vetted AgentExchange entries only and block custom third-party MCP server connections in production [14].
  • Configuration Configure Salesforce IP restriction rules to limit agent API call destinations to approved network ranges [11].
  • Engineering Implement a pre-action validation Flow that inspects tool call parameters before execution for anomalous patterns [15].

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Mandate HITL confirmation on all custom Sub-Agent actions that send external communications or modify sensitive records [5][16].
  • Configuration Scope agent permission sets to read-only CRM access unless write capability is explicitly justified per workflow [10].
  • Engineering Require secondary approval for any agent action invoking MuleSoft or External Services connectors to systems holding financial data [6].

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Audit the Trusted URLs allowlist quarterly and remove expired, unused, or legacy domains to prevent CSP bypass patterns [17].
  • Configuration Configure output monitoring rules that alert when agent responses contain external URLs or email content referencing non-business domains [13].
  • Engineering Deploy content inspection on outbound agent emails to detect and block PII patterns not caught by Trust Layer masking [16].

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Subscribe to Shield Event Monitoring and configure SIEM forwarding for all Agentforce-related event types on every production org [18].
  • Configuration Create automated alerts for anomalous agent behavior patterns such as high-volume CRM queries following external form submissions [17].
  • Engineering Enable the Salesforce Platform Events connector to Data Cloud for centralized agent telemetry correlation across org boundaries [2].

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-64320 LLM prompt neutralization flaw in Agentforce Vibes Extension enabling code injection via crafted input (CVSS 6.5). Patched in version 3.2.0.
  2. CVE-2025-64321 LLM prompt neutralization vulnerability in Agentforce Vibes Extension allowing manipulation of writable configuration files (CVSS 5.3). Patched in version 3.3.0.
  3. CVE-2025-64322 Incorrect permission assignment in Agentforce Vibes Extension allowing unauthorized configuration file manipulation (CVSS 5.3). Patched in version 3.3.0.
  4. ForcedLeak: AI Agent Risks Exposed in Salesforce Agentforce Critical severity (CVSS 9.4) indirect prompt injection chain enabling CRM data exfiltration via Web-to-Lead form and expired whitelisted domain. Patched via Trusted URLs Enforcement.
  5. PipeLeak: Exploiting Salesforce Agentforce with Indirect Prompt Injection Indirect prompt injection via lead form exploiting email tool on custom Sub-Agents to exfiltrate CRM data. No CVE assigned; Salesforce disputes platform-level impact.

Selected Research

  1. Microsoft and Salesforce Prompt Injection Remediation Playbook VentureBeat analysis covering both ForcedLeak and PipeLeak with enterprise remediation guidance and vendor response timelines.
  2. Agentic Guardrails: Deterministic Controls for Probabilistic Systems Obsidian Security analysis documenting maker-mode privilege escalation pattern in Salesforce Agentforce where agent runs with creator credentials rather than invoker permissions.
  3. OWASP Top 10 for Agentic Applications 2026 Peer-reviewed framework identifying critical security risks in autonomous AI systems; PipeLeak maps directly to ASI01 Agent Behavior Hijack.

Vendor Documentation

  1. Agentforce Developer Guide: Einstein Trust Layer Vendor documentation of the Einstein Trust Layer covering data masking, toxicity detection, zero data retention agreements, and audit trail capabilities.
  2. Best Practices for Building Secure Agentforce Service Agents Salesforce-published guidance on least-privilege permissions, authentication requirements, guardrails configuration, and shared responsibility model.
  3. SOC 2 Report: Einstein Platform and Agentforce on Hyperforce Third-party SOC 2 audit covering security, availability, and confidentiality controls for Agentforce services through reporting period ending January 2026.
  4. Salesforce FedRAMP High Authorization for Agentforce Announcement confirming FedRAMP High authorization for Agentforce alongside Data Cloud and Marketing Cloud for US public sector deployments.
  5. Securing Agentforce: How Salesforce Protects Your AI Strategy Vendor security overview documenting Trusted Services including Trusted URLs enforcement, Shield Event Monitoring, and Policy Center for agent governance.
  6. Agentforce MCP Support Vendor documentation of MCP Server Registry, admin allowlisting controls, AgentExchange marketplace, and enterprise governance for external tool integration.

Other Sources

  1. ForcedLeak Flaw in Salesforce Agentforce Exposes CRM Data Security Affairs coverage of the ForcedLeak attack chain including disclosure timeline and enterprise impact assessment.
  2. Microsoft, Salesforce Patch AI Agent Data Leak Flaws Dark Reading coverage comparing the PipeLeak and ShareLeak vulnerabilities across Salesforce and Microsoft platforms with remediation guidance.
  3. ForcedLeak and the Future of AI Agent Security Varonis analysis of ForcedLeak structural implications for enterprise Agentforce deployments including CSP misconfiguration risks.
  4. Agentforce Security Best Practices and Use Cases Third-party security guide covering Shield Event Monitoring integration, agent action logging, and operational security checklist for Agentforce deployments.