Microsoft assigned CVE-2026-21520, a CVSS 7.5 oblique immediate injection vulnerability, to Copilot Studio. Capsule Safety found the flaw, coordinated disclosure with Microsoft, and the patch was deployed on January 15. Public disclosure went reside on Wednesday.
That CVE issues much less for what it fixes and extra for what it indicators. Capsule’s analysis calls Microsoft’s determination to assign a CVE to a immediate injection vulnerability in an agentic platform “extremely uncommon.” Microsoft beforehand assigned CVE-2025-32711 (CVSS 9.3) to EchoLeak, a immediate injection in M365 Copilot patched in June 2025, however that focused a productiveness assistant, not an agent-building platform. If the precedent extends to agentic techniques broadly, each enterprise operating brokers inherits a brand new vulnerability class to trace. Besides that this class can’t be totally eradicated by patches alone.
Capsule additionally found what they name PipeLeak, a parallel oblique immediate injection vulnerability in Salesforce Agentforce. Microsoft patched and assigned a CVE. Salesforce has not assigned a CVE or issued a public advisory for PipeLeak as of publication, in accordance with Capsule's analysis.
What ShareLeak truly does
The vulnerability that the researchers named ShareLeak exploits the hole between a SharePoint kind submission and the Copilot Studio agent’s context window. An attacker fills a public-facing remark area with a crafted payload that injects a faux system position message. In Capsule’s testing, Copilot Studio concatenated the malicious enter instantly with the agent’s system directions with no enter sanitization between the shape and the mannequin.
The injected payload overrode the agent’s unique directions in Capsule’s proof-of-concept, directing it to question linked SharePoint Lists for buyer knowledge and ship that knowledge by way of Outlook to an attacker-controlled e mail tackle. NVD classifies the assault as low complexity and requires no privileges.
Microsoft’s personal security mechanisms flagged the request as suspicious throughout Capsule’s testing. The information was exfiltrated anyway. The DLP by no means fired as a result of the e-mail was routed by a legit Outlook motion that the system handled as a certified operation.
Carter Rees, VP of Synthetic Intelligence at Fame, described the architectural failure in an unique VentureBeat interview. The LLM can’t inherently distinguish between trusted directions and untrusted retrieved knowledge, Rees mentioned. It turns into a confused deputy appearing on behalf of the attacker. OWASP classifies this sample as ASI01: Agent Objective Hijack.
The analysis group behind each discoveries, Capsule Safety, discovered the Copilot Studio vulnerability on November 24, 2025. Microsoft confirmed it on December 5 and patched it on January 15, 2026. Each safety director operating Copilot Studio brokers triggered by SharePoint kinds ought to audit that window for indicators of compromise.
PipeLeak and the Salesforce break up
PipeLeak hits the identical vulnerability class by a unique entrance door. In Capsule’s testing, a public lead kind payload hijacked an Agentforce agent with no authentication required. Capsule discovered no quantity cap on the exfiltrated CRM knowledge, and the worker who triggered the agent obtained no indication that knowledge had left the constructing. Salesforce has not assigned a CVE or issued a public advisory particular to PipeLeak as of publication.
Capsule just isn’t the primary analysis group to hit Agentforce with oblique immediate injection. Noma Labs disclosed ForcedLeak (CVSS 9.4) in September 2025, and Salesforce patched that vector by imposing Trusted URL allowlists. In keeping with Capsule's analysis, PipeLeak survives that patch by a unique channel: e mail by way of the agent's licensed device actions.
Naor Paz, CEO of Capsule Safety, informed VentureBeat the testing hit no exfiltration restrict. “We didn’t get to any limitation,” Paz mentioned. “The agent would simply proceed to leak all of the CRM.”
Salesforce beneficial human-in-the-loop as a mitigation. Paz pushed again. “If the human ought to approve each single operation, it’s probably not an agent,” he informed VentureBeat. “It’s only a human clicking by the agent’s actions.”
Microsoft patched ShareLeak and assigned a CVE. In keeping with Capsule's analysis, Salesforce patched ForcedLeak's URL path however not the e-mail channel.
Kayne McGladrey, IEEE Senior Member, put it in another way in a separate VentureBeat interview. Organizations are cloning human person accounts to agentic techniques, McGladrey mentioned, besides brokers use way more permissions than people would due to the velocity, the dimensions, and the intent.
The deadly trifecta and why posture administration fails
Paz named the structural situation that makes any agent exploitable: entry to personal knowledge, publicity to untrusted content material, and the power to speak externally. ShareLeak hits all three. PipeLeak hits all three. Most manufacturing brokers hit all three as a result of that mixture is what makes brokers helpful.
Rees validated the prognosis independently. Protection-in-depth predicated on deterministic guidelines is essentially inadequate for agentic techniques, Rees informed VentureBeat.
Elia Zaitsev, CrowdStrike’s CTO, known as the patching mindset itself the vulnerability in a separate VentureBeat unique. “Individuals are forgetting about runtime safety,” he mentioned. “Let’s patch all of the vulnerabilities. Not possible. By some means at all times appear to overlook one thing.” Observing precise kinetic actions is a structured, solvable drawback, Zaitsev informed VentureBeat. Intent just isn’t. CrowdStrike’s Falcon sensor walks the method tree and tracks what brokers did, not what they appeared to mean.
Multi-turn crescendo and the coding agent blind spot
Single-shot immediate injections are the entry-level risk. Capsule’s analysis documented multi-turn crescendo assaults the place adversaries distribute payloads throughout a number of benign-looking turns. Every flip passes inspection. The assault turns into seen solely when analyzed as a sequence.
Rees defined why present monitoring misses this. A stateless WAF views every flip in a vacuum and detects no risk, Rees informed VentureBeat. It sees requests, not a semantic trajectory.
Capsule additionally discovered undisclosed vulnerabilities in coding agent platforms it declined to call, together with reminiscence poisoning that persists throughout periods and malicious code execution by MCP servers. In a single case, a file-level guardrail designed to limit which recordsdata the agent might entry was reasoned round by the agent itself, which discovered an alternate path to the identical knowledge. Rees recognized the human vector: workers paste proprietary code into public LLMs and consider safety as friction.
McGladrey minimize to the governance failure. “If crime was a expertise drawback, we might have solved crime a reasonably very long time in the past,” he informed VentureBeat. “Cybersecurity threat as a standalone class is an entire fiction.”
The runtime enforcement mannequin
Capsule hooks into vendor-provided agentic execution paths — together with Copilot Studio's safety hooks and Claude Code's pre-tool-use checkpoints — with no proxies, gateways, or SDKs. The corporate exited stealth on Wednesday, timing its $7 million seed spherical, led by Lama Companions alongside Forgepoint Capital Worldwide, to its coordinated disclosure.
Chris Krebs, the primary Director of CISA and a Capsule advisor, put the hole in operational phrases. “Legacy instruments weren’t constructed to watch what occurs between immediate and motion,” Krebs mentioned. “That’s the runtime hole.”
Capsule's structure deploys fine-tuned small language fashions that consider each device name earlier than execution, an strategy Gartner's market information calls a "guardian agent."
Not everybody agrees that intent evaluation is the precise layer. Zaitsev informed VentureBeat throughout an unique interview that intent-based detection is non-deterministic. “Intent evaluation will generally work. Intent evaluation can’t at all times work,” he mentioned. CrowdStrike bets on observing what the agent truly did slightly than what it appeared to mean. Microsoft’s personal Copilot Studio documentation offers exterior security-provider webhooks that may approve or block device execution, providing a vendor-native management aircraft alongside third-party choices. No single layer closes the hole. Runtime intent evaluation, kinetic motion monitoring, and foundational controls (least privilege, enter sanitization, outbound restrictions, focused human-in-the-loop) all belong within the stack. SOC groups ought to map telemetry now: Copilot Studio exercise logs plus webhook selections, CRM audit logs for Agentforce, and EDR process-tree knowledge for coding brokers.
Paz described the broader shift. “Intent is the brand new perimeter,” he informed VentureBeat. “The agent in runtime can resolve to go rogue on you.”
VentureBeat Prescriptive Matrix
The next matrix maps 5 vulnerability courses in opposition to the controls that miss them, and the precise actions safety administrators ought to take this week.
Vulnerability Class | Why Present Controls Miss It | What Runtime Enforcement Does | Instructed actions for safety leaders |
ShareLeak — Copilot Studio, CVE-2026-21520, CVSS 7.5, patched Jan 15 2026 | Capsule’s testing discovered no enter sanitization between the SharePoint kind and the agent context. Security mechanisms flagged, however knowledge nonetheless exfiltrated. DLP didn’t fireplace as a result of the e-mail used a legit Outlook motion. OWASP ASI01: Agent Objective Hijack. | Guardian agent hooks into Copilot Studio pre-tool-use safety hooks. Vets each device name earlier than execution. Blocks exfiltration on the motion layer. | Audit each Copilot Studio agent triggered by SharePoint kinds. Limit outbound e mail to org-only domains. Stock all SharePoint Lists accessible to brokers. Evaluation the Nov 24–Jan 15 window for indicators of compromise. |
PipeLeak — Agentforce, no CVE assigned | In Capsule’s testing, public kind enter flowed instantly into the agent context. No auth required. No quantity cap noticed on exfiltrated CRM knowledge. The worker obtained no indication that knowledge was leaving. | Runtime interception by way of platform agentic hooks. Pre-invocation checkpoint on each device name. Detects outbound knowledge switch to non-approved locations. | Evaluation all Agentforce automations triggered by public-facing kinds. Allow human-in-the-loop for exterior comms as interim management. Audit CRM knowledge entry scope per agent. Strain Salesforce for CVE task. |
Multi-Flip Crescendo — distributed payload, every flip appears to be like benign | Stateless monitoring inspects every flip in isolation. WAFs, DLP, and exercise logs see particular person requests, not semantic trajectory. | Stateful runtime evaluation tracks full dialog historical past throughout turns. Tremendous-tuned SLMs consider aggregated context. Detects when a cumulative sequence constitutes a coverage violation. | Require stateful monitoring for all manufacturing brokers. Add crescendo assault situations to pink group workouts. |
Coding Brokers — unnamed platforms, reminiscence poisoning + code execution | MCP servers inject code and directions into the agent context. Reminiscence poisoning persists throughout periods. Guardrails reasoned round by the agent itself. Shadow AI insiders paste proprietary code into public LLMs. | Pre-invocation checkpoint on each device name. Tremendous-tuned SLMs detect anomalous device utilization at runtime. | Stock all coding agent deployments throughout engineering. Audit MCP server configs. Limit code execution permissions. Monitor for shadow installations. |
Structural Hole — any agent with personal knowledge + untrusted enter + exterior comms | Posture administration tells you what ought to occur. It doesn’t cease what does occur. Brokers use way more permissions than people at far higher velocity. | Runtime guardian agent watches each motion in actual time. Intent-based enforcement replaces signature detection. Leverages vendor agentic hooks, not proxies or gateways. | Classify each agent by deadly trifecta publicity. Deal with immediate injection as class-based SaaS threat. Require runtime safety for any agent shifting to manufacturing. Transient the board on agent threat as enterprise threat. |
What this implies for 2026 safety planning
Microsoft’s CVE task will both speed up or fragment how the business handles agent vulnerabilities. If distributors name them configuration points, CISOs carry the danger alone.
Deal with immediate injection as a class-level SaaS threat slightly than particular person CVEs. Classify each agent deployment in opposition to the deadly trifecta. Require runtime enforcement for something shifting to manufacturing. Transient the board on agent threat the best way McGladrey framed it: as enterprise threat, as a result of cybersecurity threat as a standalone class stopped being helpful the second brokers began working at machine velocity.
