Microsoft assigned CVE-2026-21520, a CVSS 7.5 indirect prompt injection vulnerability, to Copilot Studio. The patch was deployed on January 15. Public disclosure went live on Wednesday. And the data exfiltrated anyway.

The vulnerability, dubbed "ShareLeak" by Capsule Security, exploits the gap between a SharePoint form submission and a Copilot Studio agent's context window. An attacker fills a public-facing comment field with a crafted payload that injects a fake system role message. In Capsule's testing, Copilot Studio concatenated the malicious input directly with the agent's system instructions with no input sanitization between the form and the model.

The injected payload overrode the agent's original instructions, directing it to query connected SharePoint Lists for customer data and send that data via Outlook to an attacker-controlled email address. NVD classifies the attack as low complexity, requiring no privileges.

Here is the part that should concern every CISO reading this: Microsoft's own safety mechanisms flagged the request as suspicious during testing. The data was exfiltrated anyway. The DLP never fired because the email was routed through a legitimate Outlook action that the system treated as an authorized operation.

Salesforce Has the Same Problem. No CVE.

Capsule also discovered what they call "PipeLeak," a parallel indirect prompt injection vulnerability in Salesforce Agentforce. A public lead form payload hijacked an Agentforce agent with no authentication required. In testing, Capsule found no volume cap on exfiltrated CRM data, and the employee who triggered the agent received no indication that data had left the building.

"We did not get to any limitation," Capsule CEO Naor Paz told VentureBeat. "The agent would just continue to leak all the CRM."

Microsoft patched ShareLeak and assigned a CVE. As of publication, Salesforce has not assigned a CVE or issued a public advisory for PipeLeak. Salesforce recommended human-in-the-loop as a mitigation. Paz pushed back: "If the human should approve every single operation, it's not really an agent. It's just a human clicking through the agent's actions."

The Lethal Trifecta Every Enterprise Agent Shares

Paz named the structural condition that makes any agent exploitable: access to private data, exposure to untrusted content, and the ability to communicate externally. ShareLeak hits all three. PipeLeak hits all three. Most production agents hit all three because that combination is what makes agents useful.

Carter Rees, VP of Artificial Intelligence at Reputation, described the failure mode: "The LLM cannot inherently distinguish between trusted instructions and untrusted retrieved data. It becomes a confused deputy acting on behalf of the attacker." OWASP classifies this pattern as ASI01: Agent Goal Hijack.

CrowdStrike CTO Elia Zaitsev called the patching mindset itself the vulnerability: "People are forgetting about runtime security. Let's patch all the vulnerabilities. Impossible. Somehow always seem to miss something."

Multi-Turn Attacks Are Coming Next

Capsule's research also documented multi-turn crescendo attacks where adversaries distribute payloads across multiple benign-looking turns. Each turn passes inspection individually. The attack becomes visible only when analyzed as a sequence. A stateless WAF views each turn in a vacuum and detects no threat. It sees requests, not a semantic trajectory.

The decision by Microsoft to assign a CVE to an agentic platform vulnerability is precedent-setting. If that precedent extends broadly, every enterprise running AI agents inherits an entirely new vulnerability class to track. Except this one cannot be fully eliminated by patches alone.

If you are running Copilot Studio agents triggered by SharePoint forms, audit your environment for indicators of compromise dating back to before the January 15 patch. If you are running Agentforce, assume you are exposed until Salesforce says otherwise.

First reported by VentureBeat.