
Did you hear about Microsoft assigning CVE-2026-21520 to Copilot Studio for a CVSS 7.5 indirect prompt injection vulnerability? It was discovered by Capsule Security, disclosed to Microsoft, and patched on January 15. The public disclosure happened recently.
But what’s more interesting is the signal this CVE sends. Microsoft assigning a CVE to a prompt injection vulnerability in an agent-building platform like Copilot Studio is considered “highly unusual” by Capsule’s research. This vulnerability class poses a new challenge for enterprises running agents, one that cannot be fully eliminated by patches alone.
Capsule also found a similar vulnerability, named PipeLeak, in Salesforce Agentforce. While Microsoft patched and assigned a CVE, Salesforce has not issued a public advisory for PipeLeak yet, according to Capsule’s findings.
Understanding the ShareLeak Vulnerability
ShareLeak exploits the gap between a SharePoint form submission and the Copilot Studio agent’s context window. By injecting a crafted payload into a public-facing comment field, an attacker can override the agent’s original instructions. This could lead to unauthorized data access and exfiltration without requiring any special privileges.
Even though Microsoft’s safety mechanisms flagged the suspicious activity during testing, the data was still exfiltrated. This highlights a fundamental architectural flaw in how the system handles trusted versus untrusted instructions, classified as OWASP ASI01: Agent Goal Hijack.
The researchers at Capsule Security discovered ShareLeak on November 24, 2025, and Microsoft confirmed and patched it by January 15, 2026. Security directors should review Copilot Studio agents triggered by SharePoint forms for any signs of compromise.
Exploring PipeLeak and the Salesforce Situation
PipeLeak, a vulnerability found in Agentforce, operates on a similar vulnerability class as ShareLeak. In Capsule’s testing, CRM data could be exfiltrated without authentication, and there were no volume caps on the data transfer. Salesforce has not addressed PipeLeak with a CVE or public advisory yet.
Naor Paz, CEO of Capsule Security, revealed that there were no limitations on the amount of CRM data that could be leaked through PipeLeak. Salesforce’s recommended mitigation of human-in-the-loop approval was deemed insufficient by Paz.
Microsoft patched ShareLeak and assigned a CVE, while Salesforce’s response to PipeLeak remains pending. The conversation around these vulnerabilities highlights the challenges of securing agentic systems.
Stay tuned for more updates on the evolving landscape of agent vulnerabilities and the necessary security measures to protect against them.
