Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway.

Microsoft recently addressed a significant security issue by assigning CVE-2026-21520, a CVSS 7.5 indirect prompt injection vulnerability, to Copilot Studio. The flaw was discovered by Capsule Security, a cybersecurity firm that worked closely with Microsoft to coordinate the disclosure and deploy a patch on January 15. The public disclosure of the vulnerability was made on Wednesday.

The significance of CVE-2026-21520 extends beyond the specific vulnerability it addresses. Capsule’s research highlighted the unusual nature of Microsoft assigning a CVE to a prompt injection vulnerability in an agentic platform like Copilot Studio. This move signals a new vulnerability class that enterprises running agents need to be aware of. Unlike traditional vulnerabilities that can be eliminated with patches, this new class poses a persistent challenge.

In addition to the Copilot Studio vulnerability, Capsule Security also discovered a similar vulnerability named PipeLeak in Salesforce Agentforce. While Microsoft promptly patched and assigned a CVE to the issue in Copilot Studio, Salesforce has not issued a CVE or public advisory for PipeLeak at the time of publication.

ShareLeak, the vulnerability identified in Copilot Studio, exploits a gap between a SharePoint form submission and the Copilot Studio agent’s context window. An attacker can inject a crafted payload into a public-facing comment field, overriding the agent’s instructions and potentially exfiltrating sensitive data. The injected payload can direct the agent to perform unauthorized actions, highlighting the need for enhanced security measures.

In the case of PipeLeak, a similar vulnerability was found in Salesforce Agentforce, allowing for unauthorized access to CRM data without authentication. Despite previous vulnerabilities being patched, new channels for exploitation can still exist, highlighting the ongoing challenge of securing agentic systems.

The research conducted by Capsule Security underscores the need for a shift in security posture management. Traditional security measures may not be sufficient to protect against the evolving threat landscape posed by agentic systems. Runtime enforcement, intent-based detection, and comprehensive monitoring are essential components of a robust security strategy for agentic applications.

As organizations continue to deploy agents for various tasks, it is crucial to prioritize runtime security and adopt a proactive approach to identifying and mitigating vulnerabilities. By addressing the structural gaps that make agents exploitable, businesses can better protect their data and systems from potential threats.

In conclusion, the emergence of new vulnerability classes in agentic systems necessitates a reevaluation of security strategies. By focusing on runtime enforcement, intent analysis, and comprehensive monitoring, organizations can better protect against the evolving threat landscape posed by prompt injection vulnerabilities. It is essential for security leaders to stay informed about these developments and take proactive steps to secure their agentic applications effectively.