The Lead Form Gave Orders

Enterprise agents are marketed as the safe, buttoned-up version of AI automation. They sit inside Microsoft or Salesforce, connect to business systems, and promise to move work along without employees clicking through every step. ShareLeak and PipeLeak are what happens when that trusted workflow starts accepting orders from the same forms customers and strangers can fill out.

Capsule Security disclosed two related prompt injection findings in April 2026: ShareLeak in Microsoft Copilot Studio and PipeLeak in Salesforce Agentforce. VentureBeat and CSO reported that the attacks used ordinary business input fields to influence agent behavior. In Microsoft's case, the issue was tied to Copilot Studio and tracked as CVE-2026-21520. In Salesforce's case, the reported path involved public-facing lead-form content and Agentforce workflows.

The rough shape is easy to understand. A company wires an agent to useful business tools: SharePoint lists, Outlook, CRM records, customer data, lead routing, or support workflows. The agent is then asked to process user-submitted text. If an attacker puts instructions into that text and the agent treats those instructions as higher-priority task guidance, the attacker gets a chance to steer the agent using the company's own integrations.

Authorized Tools, Unauthorized Purpose

The unsettling part is that the agent does not need to break into the CRM. It already has access because the company granted it access. It does not need to steal an email account if sending email is one of its assigned tools. It does not need to bypass every business control if the workflow was designed to let the agent perform actions on behalf of the organization.

That is why prompt injection is so awkward for enterprise automation. The tool calls can look legitimate in isolation. Read that record. Summarize that form. Send that message. Update that field. The security question is not just "is this action allowed?" It is "who caused this allowed action, and did the agent confuse attacker-supplied text with company intent?"

Traditional web application security has spent decades telling developers not to concatenate untrusted input into executable contexts. Agent systems keep rediscovering that lesson with nicer fonts. If a SharePoint comment or lead form is blended into an agent's instruction stream without strict boundaries, it becomes the prompt equivalent of raw SQL in a string builder.

CVE Labels Help, But They Do Not Solve the Pattern

Microsoft assigned CVE-2026-21520 to the Copilot Studio information disclosure issue, with the National Vulnerability Database listing the entry as a Copilot Studio flaw. That is useful because it gives security teams something concrete to track. It also makes the incident legible to organizations that still need CVE-shaped evidence before they prioritize a problem.

But the Salesforce side of the story shows why a single CVE is not enough. Capsule's research, as reported by VentureBeat and CSO, framed ShareLeak and PipeLeak as examples of a broader class of enterprise agent failure. The products differ, but the root risk is shared: agents with privileged business context are exposed to untrusted text and then allowed to act through normal business channels.

A patch can fix a specific unsafe path. It cannot by itself prove that every future workflow built with the platform separates data from instructions, scopes tools correctly, limits exfiltration paths, and asks for human confirmation when the requested action crosses a risk boundary.

The Form Was Not Supposed to Be a Control Plane

The grim comedy here is that lead forms and comments are among the least trustworthy inputs a business has. They are designed to be filled out by people outside the organization. They collect spam, sales pitches, malformed data, angry customer notes, and whatever else the public internet feels like donating. Connecting that stream to an agent that can query business data and send messages is not automatically wrong, but it requires a threat model that assumes the form is hostile.

Many agent deployments still seem to treat prompt injection as a model behavior problem instead of an application architecture problem. They hope the model will notice malicious instructions and decline. That is a brittle line of defense when the agent is being asked to operate at business speed across business systems. The better design is to make sure user-submitted content cannot become instructions in the first place, then add policy checks around the tools that can move data outside the company.

Why This Belongs Here

ShareLeak and PipeLeak are not funny because the payload text was clever. They are alarming because the workflow was plausible. This is exactly how companies want to use agents: read a form, inspect business records, draft an email, update the CRM, and keep the process moving. The failure comes from giving that workflow too much trust in its own inputs.

The safer version of enterprise agents needs provenance-aware context, input sanitization, tool-level authorization, egress controls, and human approval for sensitive disclosure. It also needs logs that explain which external input caused which tool call. Without that, a security team sees the agent doing normal agent things and has to reverse-engineer whether the intent came from the business or from a poisoned field.

This is the enterprise version of the old injection lesson. A public form is not a manager. A comment box is not a policy engine. If your agent cannot tell the difference, it may process a lead and leak the account list in the same helpful tone.