{"data":{"id":"4bdfd374-c71c-45e5-b3c3-d0ade3be06bc","title":"Copilot & Agentforce offen für Prompt-Injection-Tricks","summary":"Researchers at Capsule Security discovered prompt injection vulnerabilities (attacks where malicious instructions are hidden in normal-looking inputs) in both Microsoft Copilot Studio and Salesforce Agentforce that allow attackers to trick AI agents into stealing data. In Microsoft's case, attackers can inject malicious commands into SharePoint forms to extract sensitive customer data and send it via email, while in Salesforce's case, they can embed harmful instructions in public lead forms to exfiltrate CRM data at scale.","solution":"For Microsoft Copilot Studio: \"Microsoft has meanwhile published a patch that has fixed the problem\" and \"no further measures are required on the part of users.\" For Salesforce Agentforce: The source text does not describe an explicit patch or mitigation from Salesforce. The source states that \"Salesforce acknowledged the prompt injection problem\" but classified the data exfiltration issue as \"configuration-specific\" and pointed to \"optional human-in-the-loop controls.\" General recommendations mentioned include: \"input validation, least-privilege access, as well as strict control\" and treating \"all external inputs as untrusted\" while setting up \"filters that separate data from instructions.\"","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4160426/copilot-agentforce-offen-fur-prompt-injection-tricks.html","publishedAt":"2026-04-20T09:39:48.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["prompt_injection","data_extraction"],"issueType":"news","affectedPackages":null,"affectedVendors":["Microsoft"],"affectedVendorsRaw":["Microsoft Copilot Studio","Salesforce Agentforce","Capsule Security"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-04-20T09:39:48.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}