Microsoft patched a Copilot Studio prompt injection, but Capsule says the data exfiltrated anyway.
This isn’t just another CVE number sitting in a database. Microsoft assigned CVE-2026-21520, an indirect prompt injection vulnerability, to Copilot Studio. Capsule Security discovered the flaw, coordinated disclosure with Microsoft, and the patch was deployed on January 15. Public disclosure went live on Wednesday.
What the filing is really about—at least according to Capsule’s research—is how strange the decision to assign a CVE to a prompt injection in an agentic platform looks compared with what’s come before. Misryoum newsroom reported that Microsoft previously assigned CVE-2025-32711 (CVSS 9.3) to EchoLeak, a prompt injection in M365 Copilot patched in June 2025. That earlier issue targeted a productivity assistant, not a system built for building agents. Capsule calls the new decision “highly unusual,” and the worry is pretty clear: if that precedent keeps spreading, enterprises running agent platforms will have to treat prompt injection like a recurring vulnerability class—one that patches alone can’t fully stamp out.
Misryoum editorial desk noted Capsule also discovered a parallel issue they named PipeLeak in Salesforce Agentforce. Microsoft patched it and assigned a CVE, but Salesforce has not assigned a CVE or issued a public advisory for PipeLeak as of publication. Capsule’s description of ShareLeak (the Copilot Studio issue) gets technical fast: it exploits the gap between a SharePoint form submission and the agent’s context window. An attacker fills a public-facing comment field with a crafted payload that injects a fake system role message.
In Capsule’s testing, Copilot Studio concatenated the malicious input directly with the agent’s system instructions with no input sanitization between the form and the model. The researchers say the injected payload overrode the agent’s original instructions in their proof of concept—prompting it to query connected SharePoint Lists for customer data and send that data via Outlook to an attacker-controlled email address. The NVD classification is low complexity and requires no privileges. Microsoft’s own safety mechanisms flagged the request as suspicious, but the data still left the environment. And here’s the part that lands oddly in real life: Capsule says the DLP never fired because the email went through a legitimate Outlook action that the system treated as authorized.
That “confused deputy” idea runs through the rest of the reporting. Carter Rees, VP of Artificial Intelligence at Reputation, described the architectural failure in Misryoum analysis: the LLM can’t inherently distinguish between trusted instructions and untrusted retrieved data, so it acts on behalf of the attacker. OWASP classifies this pattern as ASI01: Agent Goal Hijack. Rees also validated the diagnosis independently, arguing that defense-in-depth built on deterministic rules isn’t enough for agentic systems—runtime behavior matters.
PipeLeak, meanwhile, hits the same general vulnerability class through a different path. In Capsule’s testing, a public lead form payload hijacked an Agentforce agent with no authentication required. Capsule says it found no volume cap on the exfiltrated CRM data, and the employee who triggered the agent got no indication that anything had left the building. Earlier Agentforce research exists too: Misryoum newsroom reported that Noma Labs disclosed ForcedLeak (CVSS 9.4) in September 2025, and Salesforce patched that by enforcing Trusted URL allowlists. Capsule says PipeLeak survives that patch via an email channel through authorized tool actions.
Where it gets bigger than these two products is the structural argument Capsule is making: the lethal trifecta—access to private data, exposure to untrusted content, and the ability to communicate externally—shows up in most production agents. Misryoum editorial desk also noted Capsule’s view that runtime monitoring and “guardian agent” style enforcement are the missing layer, not just additional signature-style rules. Capsule says it hooks into vendor-provided agentic execution paths with no proxies, gateways, or SDKs, and evaluates every tool call before execution. In practice, SOC teams are being told to map telemetry across platform activity logs and webhook decisions, CRM audit logs for Agentforce, and EDR process-tree data for coding agents—because multi-turn attacks can look harmless until you stitch the conversation together.
Paz described the broader shift bluntly: “Intent is the new perimeter.” It’s a line that sounds neat, maybe too neat, but the underlying point isn’t. If agents operate at machine speed and can act externally, posture management that only tells you what should happen isn’t stopping what does happen. And even with Microsoft’s patch landing Jan 15, Capsule’s testing says the real lesson is how runtime controls need to be designed so that “suspicious” isn’t just a warning—it’s the difference between the agent thinking and the agent doing.
Avoid “Vivid” TV settings: get accurate color at home
X-energy aims for IPO as Amazon backs nuclear startup
YouTube adds a zero-minute option to kill Shorts from your feed