Technical description
VentureBeat reported on April 15–16 that despite Microsoft patching CVE-2026-21520 (CVSS 7.5) in Copilot Studio in January 2026, data exfiltration via indirect prompt injection remains achievable. Capsule Security's 'ShareLeak' exploits a gap between SharePoint form submissions and the agent's context window — injecting a fake system-role message that overrides agent instructions, then exfiltrates SharePoint customer data via Outlook. Separately, 'PipeLeak' affects Salesforce Agentforce via the email tool-action channel on Custom Topics; Salesforce states it has 'remediated the specific scenario described' but Capsule Security retested and reports the email channel remains exploitable on Custom Topics.
Attack vector
ShareLeak: Attacker fills a public-facing SharePoint comment/form field with a crafted prompt payload that includes a fake system role message. Copilot Studio concatenates the malicious input with agent system instructions without sanitisation, overriding intended behaviour and directing data exfiltration via Outlook. PipeLeak uses the same injection principle through Agentforce's email tool-action channel.
Affected systems
Microsoft Copilot Studio agents connected to SharePoint form triggers (all tenants); Salesforce Agentforce deployments using Custom Topics with email tool-action capabilities.
Mitigation
For Copilot Studio: Audit every agent triggered by SharePoint forms for IoCs (unexpected Outlook send events, unusual SharePoint data queries). Review and harden agent system instructions; apply input validation at the form layer. For Agentforce: Verify Human-in-the-Loop (HITL) confirmation is enabled on all email-based agentic actions, including Custom Topics — do not rely on default settings alone. Monitor Salesforce's security advisory channel for CVE assignment and official patch for PipeLeak.