Microsoft assigned CVE-2026-21520, a CVSS 7.5 oblique immediate injection vulnerability, to Copilot Studio. Capsule Safety found the flaw, coordinated disclosure with Microsoft, and the patch was deployed on January 15. Public disclosure went stay on Wednesday.
That CVE issues much less for what it fixes and extra for what it indicators. Capsule’s analysis calls Microsoft’s determination to assign a CVE to a immediate injection vulnerability in an agentic platform “extremely uncommon.” Microsoft beforehand assigned CVE-2025-32711 (CVSS 9.3) to EchoLeak, a immediate injection in M365 Copilot patched in June 2025, however that focused a productiveness assistant, not an agent-building platform. If the precedent extends to agentic methods broadly, each enterprise operating brokers inherits a brand new vulnerability class to trace. Besides that this class can’t be totally eradicated by patches alone.
Capsule additionally found what they name PipeLeak, a parallel oblique immediate injection vulnerability in Salesforce Agentforce. Microsoft patched and assigned a CVE. Salesforce has not assigned a CVE or issued a public advisory for PipeLeak as of publication, in accordance with Capsule’s analysis.
What ShareLeak truly does
The vulnerability that the researchers named ShareLeak exploits the hole between a SharePoint type submission and the Copilot Studio agent’s context window. An attacker fills a public-facing remark discipline with a crafted payload that injects a faux system position message. In Capsule’s testing, Copilot Studio concatenated the malicious enter immediately with the agent’s system directions with no enter sanitization between the shape and the mannequin.
The injected payload overrode the agent’s unique directions in Capsule’s proof-of-concept, directing it to question linked SharePoint Lists for buyer information and ship that information by way of Outlook to an attacker-controlled electronic mail tackle. NVD classifies the assault as low complexity and requires no privileges.
Microsoft’s personal security mechanisms flagged the request as suspicious throughout Capsule’s testing. The information was exfiltrated anyway. The DLP by no means fired as a result of the e-mail was routed via a official Outlook motion that the system handled as a licensed operation.
Carter Rees, VP of Synthetic Intelligence at Popularity, described the architectural failure in an unique VentureBeat interview. The LLM can not inherently distinguish between trusted directions and untrusted retrieved information, Rees stated. It turns into a confused deputy performing on behalf of the attacker. OWASP classifies this sample as ASI01: Agent Purpose Hijack.
The analysis workforce behind each discoveries, Capsule Safety, discovered the Copilot Studio vulnerability on November 24, 2025. Microsoft confirmed it on December 5 and patched it on January 15, 2026. Each safety director operating Copilot Studio brokers triggered by SharePoint types ought to audit that window for indicators of compromise.
PipeLeak and the Salesforce break up
PipeLeak hits the identical vulnerability class via a distinct entrance door. In Capsule’s testing, a public lead type payload hijacked an Agentforce agent with no authentication required. Capsule discovered no quantity cap on the exfiltrated CRM information, and the worker who triggered the agent acquired no indication that information had left the constructing. Salesforce has not assigned a CVE or issued a public advisory particular to PipeLeak as of publication.
Capsule just isn’t the primary analysis workforce to hit Agentforce with oblique immediate injection. Noma Labs disclosed ForcedLeak (CVSS 9.4) in September 2025, and Salesforce patched that vector by implementing Trusted URL allowlists. Based on Capsule’s analysis, PipeLeak survives that patch via a distinct channel: electronic mail by way of the agent’s licensed instrument actions.
Naor Paz, CEO of Capsule Safety, informed VentureBeat the testing hit no exfiltration restrict. “We didn’t get to any limitation,” Paz stated. “The agent would simply proceed to leak all of the CRM.”
Salesforce beneficial human-in-the-loop as a mitigation. Paz pushed again. “If the human ought to approve each single operation, it’s not likely an agent,” he informed VentureBeat. “It’s only a human clicking via the agent’s actions.”
Microsoft patched ShareLeak and assigned a CVE. Based on Capsule’s analysis, Salesforce patched ForcedLeak’s URL path however not the e-mail channel.
Kayne McGladrey, IEEE Senior Member, put it in another way in a separate VentureBeat interview. Organizations are cloning human person accounts to agentic methods, McGladrey stated, besides brokers use way more permissions than people would due to the velocity, the size, and the intent.
The deadly trifecta and why posture administration fails
Paz named the structural situation that makes any agent exploitable: entry to personal information, publicity to untrusted content material, and the power to speak externally. ShareLeak hits all three. PipeLeak hits all three. Most manufacturing brokers hit all three as a result of that mixture is what makes brokers helpful.
Rees validated the prognosis independently. Protection-in-depth predicated on deterministic guidelines is basically inadequate for agentic methods, Rees informed VentureBeat.
Elia Zaitsev, CrowdStrike’s CTO, referred to as the patching mindset itself the vulnerability in a separate VentureBeat unique. “Persons are forgetting about runtime safety,” he stated. “Let’s patch all of the vulnerabilities. Unimaginable. One way or the other at all times appear to overlook one thing.” Observing precise kinetic actions is a structured, solvable drawback, Zaitsev informed VentureBeat. Intent just isn’t. CrowdStrike’s Falcon sensor walks the method tree and tracks what brokers did, not what they appeared to mean.
Multi-turn crescendo and the coding agent blind spot
Single-shot immediate injections are the entry-level risk. Capsule’s analysis documented multi-turn crescendo assaults the place adversaries distribute payloads throughout a number of benign-looking turns. Every flip passes inspection. The assault turns into seen solely when analyzed as a sequence.
Rees defined why present monitoring misses this. A stateless WAF views every flip in a vacuum and detects no risk, Rees informed VentureBeat. It sees requests, not a semantic trajectory.
Capsule additionally discovered undisclosed vulnerabilities in coding agent platforms it declined to call, together with reminiscence poisoning that persists throughout periods and malicious code execution via MCP servers. In a single case, a file-level guardrail designed to limit which information the agent may entry was reasoned round by the agent itself, which discovered an alternate path to the identical information. Rees recognized the human vector: workers paste proprietary code into public LLMs and look at safety as friction.
McGladrey minimize to the governance failure. “If crime was a know-how drawback, we might have solved crime a reasonably very long time in the past,” he informed VentureBeat. “Cybersecurity threat as a standalone class is a whole fiction.”
The runtime enforcement mannequin
Capsule hooks into vendor-provided agentic execution paths — together with Copilot Studio’s safety hooks and Claude Code’s pre-tool-use checkpoints — with no proxies, gateways, or SDKs. The corporate exited stealth on Wednesday, timing its $7 million seed spherical, led by Lama Companions alongside Forgepoint Capital Worldwide, to its coordinated disclosure.
Chris Krebs, the primary Director of CISA and a Capsule advisor, put the hole in operational phrases. “Legacy instruments weren’t constructed to observe what occurs between immediate and motion,” Krebs stated. “That’s the runtime hole.”
Capsule’s structure deploys fine-tuned small language fashions that consider each instrument name earlier than execution, an method Gartner’s market information calls a “guardian agent.”
Not everybody agrees that intent evaluation is the precise layer. Zaitsev informed VentureBeat throughout an unique interview that intent-based detection is non-deterministic. “Intent evaluation will typically work. Intent evaluation can not at all times work,” he stated. CrowdStrike bets on observing what the agent truly did fairly than what it appeared to mean. Microsoft’s personal Copilot Studio documentation offers exterior security-provider webhooks that may approve or block instrument execution, providing a vendor-native management airplane alongside third-party choices. No single layer closes the hole. Runtime intent evaluation, kinetic motion monitoring, and foundational controls (least privilege, enter sanitization, outbound restrictions, focused human-in-the-loop) all belong within the stack. SOC groups ought to map telemetry now: Copilot Studio exercise logs plus webhook selections, CRM audit logs for Agentforce, and EDR process-tree information for coding brokers.
Paz described the broader shift. “Intent is the brand new perimeter,” he informed VentureBeat. “The agent in runtime can resolve to go rogue on you.”
VentureBeat Prescriptive Matrix
The next matrix maps 5 vulnerability lessons towards the controls that miss them, and the particular actions safety administrators ought to take this week.
Vulnerability Class
Why Present Controls Miss It
What Runtime Enforcement Does
Advised actions for safety leaders
ShareLeak — Copilot Studio, CVE-2026-21520, CVSS 7.5, patched Jan 15 2026
Capsule’s testing discovered no enter sanitization between the SharePoint type and the agent context. Security mechanisms flagged, however information nonetheless exfiltrated. DLP didn’t hearth as a result of the e-mail used a official Outlook motion. OWASP ASI01: Agent Purpose Hijack.
Guardian agent hooks into Copilot Studio pre-tool-use safety hooks. Vets each instrument name earlier than execution. Blocks exfiltration on the motion layer.
Audit each Copilot Studio agent triggered by SharePoint types. Prohibit outbound electronic mail to org-only domains. Stock all SharePoint Lists accessible to brokers. Assessment the Nov 24–Jan 15 window for indicators of compromise.
PipeLeak — Agentforce, no CVE assigned
In Capsule’s testing, public type enter flowed immediately into the agent context. No auth required. No quantity cap noticed on exfiltrated CRM information. The worker acquired no indication that information was leaving.
Runtime interception by way of platform agentic hooks. Pre-invocation checkpoint on each instrument name. Detects outbound information switch to non-approved locations.
Assessment all Agentforce automations triggered by public-facing types. Allow human-in-the-loop for exterior comms as interim management. Audit CRM information entry scope per agent. Strain Salesforce for CVE task.
Multi-Flip Crescendo — distributed payload, every flip seems to be benign
Stateless monitoring inspects every flip in isolation. WAFs, DLP, and exercise logs see particular person requests, not semantic trajectory.
Stateful runtime evaluation tracks full dialog historical past throughout turns. Tremendous-tuned SLMs consider aggregated context. Detects when a cumulative sequence constitutes a coverage violation.
Require stateful monitoring for all manufacturing brokers. Add crescendo assault eventualities to crimson workforce workouts.
Coding Brokers — unnamed platforms, reminiscence poisoning + code execution
MCP servers inject code and directions into the agent context. Reminiscence poisoning persists throughout periods. Guardrails reasoned round by the agent itself. Shadow AI insiders paste proprietary code into public LLMs.
Pre-invocation checkpoint on each instrument name. Tremendous-tuned SLMs detect anomalous instrument utilization at runtime.
Stock all coding agent deployments throughout engineering. Audit MCP server configs. Prohibit code execution permissions. Monitor for shadow installations.
Structural Hole — any agent with non-public information + untrusted enter + exterior comms
Posture administration tells you what ought to occur. It doesn’t cease what does occur. Brokers use way more permissions than people at far larger velocity.
Runtime guardian agent watches each motion in actual time. Intent-based enforcement replaces signature detection. Leverages vendor agentic hooks, not proxies or gateways.
Classify each agent by deadly trifecta publicity. Deal with immediate injection as class-based SaaS threat. Require runtime safety for any agent shifting to manufacturing. Temporary the board on agent threat as enterprise threat.
What this implies for 2026 safety planning
Microsoft’s CVE task will both speed up or fragment how the trade handles agent vulnerabilities. If distributors name them configuration points, CISOs carry the danger alone.
Deal with immediate injection as a class-level SaaS threat fairly than particular person CVEs. Classify each agent deployment towards the deadly trifecta. Require runtime enforcement for something shifting to manufacturing. Temporary the board on agent threat the best way McGladrey framed it: as enterprise threat, as a result of cybersecurity threat as a standalone class stopped being helpful the second brokers began working at machine velocity.
