Microsoft assigned CVE-2026-21520, a CVSS 7.5 oblique immediate injection vulnerability, to Copilot Studio. Capsule Safety found the flaw, coordinated disclosure with Microsoft, and the patch was deployed on January 15. Public disclosure went dwell on Wednesday.
That CVE issues much less for what it fixes and extra for what it indicators. Capsule’s analysis calls Microsoft’s choice to assign a CVE to a immediate injection vulnerability in an agentic platform “extremely uncommon.” Microsoft beforehand assigned CVE-2025-32711 (CVSS 9.3) to EchoLeak, a immediate injection in M365 Copilot patched in June 2025, however that focused a productiveness assistant, not an agent-building platform. If the precedent extends to agentic methods broadly, each enterprise operating brokers inherits a brand new vulnerability class to trace. Besides that this class can’t be totally eradicated by patches alone.
Capsule additionally found what they name PipeLeak, a parallel oblique immediate injection vulnerability in Salesforce Agentforce. Microsoft patched and assigned a CVE. Salesforce has not assigned a CVE or issued a public advisory for PipeLeak as of publication, based on Capsule’s analysis.
What ShareLeak really does
The vulnerability that the researchers named ShareLeak exploits the hole between a SharePoint type submission and the Copilot Studio agent’s context window. An attacker fills a public-facing remark discipline with a crafted payload that injects a faux system position message. In Capsule’s testing, Copilot Studio concatenated the malicious enter straight with the agent’s system directions with no enter sanitization between the shape and the mannequin.
The injected payload overrode the agent’s unique directions in Capsule’s proof-of-concept, directing it to question linked SharePoint Lists for buyer knowledge and ship that knowledge through Outlook to an attacker-controlled e-mail deal with. NVD classifies the assault as low complexity and requires no privileges.
Microsoft’s personal security mechanisms flagged the request as suspicious throughout Capsule’s testing. The info was exfiltrated anyway. The DLP by no means fired as a result of the e-mail was routed by way of a reliable Outlook motion that the system handled as a certified operation.
Carter Rees, VP of Synthetic Intelligence at Popularity, described the architectural failure in an unique VentureBeat interview. The LLM can not inherently distinguish between trusted directions and untrusted retrieved knowledge, Rees mentioned. It turns into a confused deputy appearing on behalf of the attacker. OWASP classifies this sample as ASI01: Agent Objective Hijack.
The analysis group behind each discoveries, Capsule Safety, discovered the Copilot Studio vulnerability on November 24, 2025. Microsoft confirmed it on December 5 and patched it on January 15, 2026. Each safety director operating Copilot Studio brokers triggered by SharePoint types ought to audit that window for indicators of compromise.
PipeLeak and the Salesforce break up
PipeLeak hits the identical vulnerability class by way of a special entrance door. In Capsule’s testing, a public lead type payload hijacked an Agentforce agent with no authentication required. Capsule discovered no quantity cap on the exfiltrated CRM knowledge, and the worker who triggered the agent acquired no indication that knowledge had left the constructing. Salesforce has not assigned a CVE or issued a public advisory particular to PipeLeak as of publication.
Capsule will not be the primary analysis group to hit Agentforce with oblique immediate injection. Noma Labs disclosed ForcedLeak (CVSS 9.4) in September 2025, and Salesforce patched that vector by imposing Trusted URL allowlists. In keeping with Capsule’s analysis, PipeLeak survives that patch by way of a special channel: e-mail through the agent’s licensed instrument actions.
Naor Paz, CEO of Capsule Safety, advised VentureBeat the testing hit no exfiltration restrict. “We didn’t get to any limitation,” Paz mentioned. “The agent would simply proceed to leak all of the CRM.”
Salesforce advisable human-in-the-loop as a mitigation. Paz pushed again. “If the human ought to approve each single operation, it’s not likely an agent,” he advised VentureBeat. “It’s only a human clicking by way of the agent’s actions.”
Microsoft patched ShareLeak and assigned a CVE. In keeping with Capsule’s analysis, Salesforce patched ForcedLeak’s URL path however not the e-mail channel.
Kayne McGladrey, IEEE Senior Member, put it in another way in a separate VentureBeat interview. Organizations are cloning human consumer accounts to agentic methods, McGladrey mentioned, besides brokers use much more permissions than people would due to the pace, the size, and the intent.
The deadly trifecta and why posture administration fails
Paz named the structural situation that makes any agent exploitable: entry to non-public knowledge, publicity to untrusted content material, and the power to speak externally. ShareLeak hits all three. PipeLeak hits all three. Most manufacturing brokers hit all three as a result of that mixture is what makes brokers helpful.
Rees validated the prognosis independently. Protection-in-depth predicated on deterministic guidelines is basically inadequate for agentic methods, Rees advised VentureBeat.
Elia Zaitsev, CrowdStrike’s CTO, referred to as the patching mindset itself the vulnerability in a separate VentureBeat unique. “Individuals are forgetting about runtime safety,” he mentioned. “Let’s patch all of the vulnerabilities. Inconceivable. In some way all the time appear to overlook one thing.” Observing precise kinetic actions is a structured, solvable downside, Zaitsev advised VentureBeat. Intent will not be. CrowdStrike’s Falcon sensor walks the method tree and tracks what brokers did, not what they appeared to mean.
Multi-turn crescendo and the coding agent blind spot
Single-shot immediate injections are the entry-level risk. Capsule’s analysis documented multi-turn crescendo assaults the place adversaries distribute payloads throughout a number of benign-looking turns. Every flip passes inspection. The assault turns into seen solely when analyzed as a sequence.
Rees defined why present monitoring misses this. A stateless WAF views every flip in a vacuum and detects no risk, Rees advised VentureBeat. It sees requests, not a semantic trajectory.
Capsule additionally discovered undisclosed vulnerabilities in coding agent platforms it declined to call, together with reminiscence poisoning that persists throughout periods and malicious code execution by way of MCP servers. In a single case, a file-level guardrail designed to limit which information the agent may entry was reasoned round by the agent itself, which discovered an alternate path to the identical knowledge. Rees recognized the human vector: staff paste proprietary code into public LLMs and think about safety as friction.
McGladrey minimize to the governance failure. “If crime was a expertise downside, we might have solved crime a reasonably very long time in the past,” he advised VentureBeat. “Cybersecurity threat as a standalone class is an entire fiction.”
The runtime enforcement mannequin
Capsule hooks into vendor-provided agentic execution paths — together with Copilot Studio’s safety hooks and Claude Code’s pre-tool-use checkpoints — with no proxies, gateways, or SDKs. The corporate exited stealth on Wednesday, timing its $7 million seed spherical, led by Lama Companions alongside Forgepoint Capital Worldwide, to its coordinated disclosure.
Chris Krebs, the primary Director of CISA and a Capsule advisor, put the hole in operational phrases. “Legacy instruments weren’t constructed to watch what occurs between immediate and motion,” Krebs mentioned. “That’s the runtime hole.”
Capsule’s structure deploys fine-tuned small language fashions that consider each instrument name earlier than execution, an strategy Gartner’s market information calls a “guardian agent.”
Not everybody agrees that intent evaluation is the proper layer. Zaitsev advised VentureBeat throughout an unique interview that intent-based detection is non-deterministic. “Intent evaluation will typically work. Intent evaluation can not all the time work,” he mentioned. CrowdStrike bets on observing what the agent really did quite than what it appeared to mean. Microsoft’s personal Copilot Studio documentation offers exterior security-provider webhooks that may approve or block instrument execution, providing a vendor-native management aircraft alongside third-party choices. No single layer closes the hole. Runtime intent evaluation, kinetic motion monitoring, and foundational controls (least privilege, enter sanitization, outbound restrictions, focused human-in-the-loop) all belong within the stack. SOC groups ought to map telemetry now: Copilot Studio exercise logs plus webhook choices, CRM audit logs for Agentforce, and EDR process-tree knowledge for coding brokers.
Paz described the broader shift. “Intent is the brand new perimeter,” he advised VentureBeat. “The agent in runtime can determine to go rogue on you.”
VentureBeat Prescriptive Matrix
The next matrix maps 5 vulnerability courses towards the controls that miss them, and the particular actions safety administrators ought to take this week.
|
Vulnerability Class |
Why Present Controls Miss It |
What Runtime Enforcement Does |
Instructed actions for safety leaders |
|
ShareLeak — Copilot Studio, CVE-2026-21520, CVSS 7.5, patched Jan 15 2026 |
Capsule’s testing discovered no enter sanitization between the SharePoint type and the agent context. Security mechanisms flagged, however knowledge nonetheless exfiltrated. DLP didn’t hearth as a result of the e-mail used a reliable Outlook motion. OWASP ASI01: Agent Objective Hijack. |
Guardian agent hooks into Copilot Studio pre-tool-use safety hooks. Vets each instrument name earlier than execution. Blocks exfiltration on the motion layer. |
Audit each Copilot Studio agent triggered by SharePoint types. Prohibit outbound e-mail to org-only domains. Stock all SharePoint Lists accessible to brokers. Overview the Nov 24–Jan 15 window for indicators of compromise. |
|
PipeLeak — Agentforce, no CVE assigned |
In Capsule’s testing, public type enter flowed straight into the agent context. No auth required. No quantity cap noticed on exfiltrated CRM knowledge. The worker acquired no indication that knowledge was leaving. |
Runtime interception through platform agentic hooks. Pre-invocation checkpoint on each instrument name. Detects outbound knowledge switch to non-approved locations. |
Overview all Agentforce automations triggered by public-facing types. Allow human-in-the-loop for exterior comms as interim management. Audit CRM knowledge entry scope per agent. Stress Salesforce for CVE project. |
|
Multi-Flip Crescendo — distributed payload, every flip seems to be benign |
Stateless monitoring inspects every flip in isolation. WAFs, DLP, and exercise logs see particular person requests, not semantic trajectory. |
Stateful runtime evaluation tracks full dialog historical past throughout turns. Fantastic-tuned SLMs consider aggregated context. Detects when a cumulative sequence constitutes a coverage violation. |
Require stateful monitoring for all manufacturing brokers. Add crescendo assault situations to pink group workouts. |
|
Coding Brokers — unnamed platforms, reminiscence poisoning + code execution |
MCP servers inject code and directions into the agent context. Reminiscence poisoning persists throughout periods. Guardrails reasoned round by the agent itself. Shadow AI insiders paste proprietary code into public LLMs. |
Pre-invocation checkpoint on each instrument name. Fantastic-tuned SLMs detect anomalous instrument utilization at runtime. |
Stock all coding agent deployments throughout engineering. Audit MCP server configs. Prohibit code execution permissions. Monitor for shadow installations. |
|
Structural Hole — any agent with personal knowledge + untrusted enter + exterior comms |
Posture administration tells you what ought to occur. It doesn’t cease what does occur. Brokers use much more permissions than people at far larger pace. |
Runtime guardian agent watches each motion in actual time. Intent-based enforcement replaces signature detection. Leverages vendor agentic hooks, not proxies or gateways. |
Classify each agent by deadly trifecta publicity. Deal with immediate injection as class-based SaaS threat. Require runtime safety for any agent transferring to manufacturing. Temporary the board on agent threat as enterprise threat. |
What this implies for 2026 safety planning
Microsoft’s CVE project will both speed up or fragment how the trade handles agent vulnerabilities. If distributors name them configuration points, CISOs carry the chance alone.
Deal with immediate injection as a class-level SaaS threat quite than particular person CVEs. Classify each agent deployment towards the deadly trifecta. Require runtime enforcement for something transferring to manufacturing. Temporary the board on agent threat the best way McGladrey framed it: as enterprise threat, as a result of cybersecurity threat as a standalone class stopped being helpful the second brokers began working at machine pace.