Microsoft has assigned CVE-2026-21520, a CVSS 7.5 oblique immediate injection vulnerability, to Copilot Studio. Capsule Safety found the flaw and coordinated with Microsoft to make it public and deploy a patch on January fifteenth. Public viewing started on Wednesday.
CVE is much less about what it fixes and extra about what it tells you. Capsule’s analysis calls Microsoft’s resolution to assign a CVE to the agent platform immediate injection vulnerability “extremely uncommon.” Microsoft beforehand assigned EchoLeak CVE-2025-32711 (CVSS 9.3), a immediate injection into M365 Copilot patched in June 2025, which focused the Productiveness Assistant quite than the agent constructing platform. If this precedent have been to increase broadly to agent techniques, each firm operating an agent would inherit a brand new vulnerability class to trace. Nonetheless, this class can’t be fully eliminated with a patch alone.
Capsule additionally found a parallel oblique immediate injection vulnerability in Salesforce Agentforce known as PipeLeak. Microsoft has utilized the patch and assigned the CVE. In accordance with Capsule’s analysis, Salesforce has not assigned any CVEs or issued any public advisories towards PipeLeak on the time of publication.
What ShareLeak truly does
The vulnerability, which researchers have dubbed ShareLeak, exploits a spot between a SharePoint kind submission and the Copilot Studio agent’s context window. An attacker embeds a crafted payload in a public remark discipline that injects a pretend system function message. In Capsule testing, Copilot Studio concatenated the malicious enter immediately with the agent’s system directions with none enter sanitization between the shape and the mannequin.
The injected payload overridden the agent’s authentic directions in Capsule’s proof of idea, instructing it to question a related SharePoint record for buyer information and ship that information by way of Outlook to an attacker-controlled e-mail deal with. NVD classifies assaults as low complexity and doesn’t require any privileges.
Microsoft’s personal security mechanisms flagged requests as suspicious throughout Capsule testing. The info was extracted anyway. DLP was not triggered as a result of the e-mail was routed by way of a legit Outlook motion that the system treats as a certified operation.
Carter Rees, Popularity’s vp of synthetic intelligence, defined the structure’s failure in an unique interview with VentureBeat. Reese stated LLM inherently can’t distinguish between trusted directions and unreliable captured information. Grow to be a confused agent on behalf of the attacker. OWASP classifies this sample as ASI01: Agent Aim Hijack.
Capsule Safety, the analysis crew behind each discoveries, found the Copilot Studio vulnerability on November 24, 2025. Microsoft confirmed it on December fifth and patched it on January fifteenth, 2026. All safety administrators operating Copilot Studio brokers which are triggered by SharePoint types ought to audit their home windows for indicators of safety compromise.
PipeLeak and Salesforce Break up
PipeLeak assaults the identical vulnerability class by way of a unique entrance door. In Capsule testing, public lead kind payloads hijacked Agentforce brokers with out requiring authentication. Capsule found that the leaked CRM information had no quantity cap, and the worker who activated the agent acquired no indication that the info had left the constructing. On the time of publication, Salesforce has not assigned a CVE or issued a public advisory particular to PipeLeak.
Capsule isn’t the primary analysis crew to assault Agentforce with oblique immediate injection. Noma Labs revealed ForcedLeak (CVSS 9.4) in September 2025, and Salesforce patched that vector by implementing a trusted URL allowlist. In accordance with Capsule’s analysis, PipeLeak survives its patching by way of one other channel: e-mail by way of the actions of brokers’ approved instruments.
Naor Paz, CEO of Capsule Safety, informed VentureBeat that the take a look at didn’t attain information breach limits. “We did not hit any limits,” Paz stated. “Brokers will proceed to leak all their CRMs.”
Salesforce really helpful human intervention as a mitigation technique. The move was pushed again. “If a human has to approve each operation, it is probably not an agent,” he informed VentureBeat. “It is only a human clicking on the agent’s actions.”
Microsoft has patched ShareLeak and assigned a CVE. In accordance with Capsule’s analysis, Salesforce patched ForcedLeak’s URL path, however not the e-mail channel.
IEEE senior member Kayne McGladrey put it otherwise in a separate VentureBeat interview. McGladry stated organizations are replicating human person accounts into agent techniques, however brokers use much more privileges than people attributable to their velocity, scale and goal.
The deadly three-way and the explanation why posture administration fails
Paz cites entry to private information, publicity to untrusted content material, and the power to speak with the skin world as structural circumstances that make any agent exploitable. ShareLeak is all three. PipeLeak hits all three. Most manufacturing brokers are all three. That mixture is what makes the agent helpful.
Mr. Rees independently verified the prognosis. Reese informed VentureBeat that defense-in-depth, which depends on deterministic guidelines, is basically insufficient for agent techniques.
CrowdStrike CTO Elia Zaitsev calls the thought of patching itself a VentureBeat-only vulnerability. “Persons are forgetting about runtime safety,” he stated. “Let’s patch all of the vulnerabilities. It is unattainable. Someway one thing at all times appears to be lacking.” Observing actual athletic habits is a structured, solvable downside, Zaitsev informed VentureBeat. That is not the intention. CrowdStrike’s Falcon sensor follows the method tree, monitoring the actions the agent took, not what the agent appeared to mean.
Multi-turn crescendos and coding agent blind spots
Single-prompt injections are an entry-level risk. Capsule’s analysis documented multi-turn crescendo assaults wherein the adversary spreads the payload over a number of seemingly benign turns. Every flip passes inspection. Assaults are solely seen when analyzed as a sequence.
Mr Rees defined why present monitoring is lacking this. Reese informed VentureBeat {that a} stateless WAF displays every flip individually and doesn’t detect threats. Refers to requests, not semantic trajectories.
Capsule additionally found undisclosed vulnerabilities in its Coding Agent platform, which it didn’t title. This contains persistent reminiscence poisoning between classes and execution of malicious code by way of the MCP server. In a single case, file-level guardrails designed to restrict the information an agent may entry have been circumvented by the agent itself and an alternate path to the identical information was discovered. Rees recognized a human vector wherein staff paste their very own code into public LLMs and see safety as a friction.
Mr. McGladry opened up on governance failures. “If crime have been a know-how downside, it will have been solved a very long time in the past,” he informed VentureBeat. “Cybersecurity danger as a separate class is full fiction.”
runtime enforcement mannequin
Capsule hooks into vendor-provided agent execution paths, comparable to Copilot Studio’s safety hooks and Claude Code’s pre-tool checkpoints, with out utilizing proxies, gateways, or SDKs. The corporate exited stealth on Wednesday, timing a coordinated disclosure of a $7 million seed spherical led by Rama Companions together with Forgepoint Capital Worldwide.
Chris Krebs, CISA’s first director and capsule advisor, pointed to operational gaps. “Conventional instruments aren’t constructed to observe what’s occurring between the immediate and the motion,” Krebs says. “That is the runtime hole.”
Capsule’s structure deploys a small, fine-tuned language mannequin that evaluates each software name earlier than execution. Gartner’s market information describes this method as "Guardian agent."
Not everybody agrees that intent evaluation is the best layer. Zaitsev informed VentureBeat in an unique interview that intent-based detection is non-deterministic. “Typically intent evaluation works. Intent evaluation does not at all times work,” he stated. CrowdStrike is betting on observing what brokers truly do quite than what they seem to mean. Microsoft’s personal Copilot Studio documentation gives exterior safety supplier webhooks that may authorize or block software execution, offering a vendor-native management airplane together with third-party choices. No single layer can bridge the hole. Runtime intent evaluation, dynamic motion monitoring, and primary controls (least privilege, enter sanitization, sending limits, focused human individuals) all belong within the stack. SOC groups ought to now map telemetry comparable to exercise logs and webhook selections in Copilot Studio, CRM audit logs in Agentforce, and EDR course of tree information for coding brokers.
Mr Paz described broader modifications. “Intention is the brand new boundary,” he informed VentureBeat. “A operating agent might resolve to commit fraud towards you.”
VentureBeat Prescription Matrix
The next matrix maps the 5 vulnerability courses, the controls which are lacking them, and the particular actions safety officers ought to take this week.
vulnerability class
Why does present management miss it?
Runtime enforcement options
Really useful actions for safety leaders
ShareLeak — Copilot Studio, CVE-2026-21520, CVSS 7.5, patched on January 15, 2026
Capsule testing revealed a scarcity of enter sanitization between the SharePoint kind and the agent context. Security mechanisms have been flagged, however the information was nonetheless uncovered. DLP didn’t fireplace as a result of the e-mail used a legit Outlook motion. OWASP ASI01: Agent aim hijacking.
The Guardian agent hooks into Copilot Studio’s pre-tool safety hooks. Scrutinize all software calls earlier than execution. Block leaks on the motion layer.
Audit all Copilot Studio brokers triggered by SharePoint types. Limit outgoing e-mail to your group’s domains solely. Stock all SharePoint lists that the agent can entry. Examine the interval from November twenty fourth to January fifteenth for indicators of compromise.
PipeLeak — Agentforce, CVE not assigned
In Capsule testing, public kind enter flowed immediately into the agent context. No authentication required. There isn’t a quantity restrict for leaked CRM information. Staff acquired no indication that their information had been compromised.
Runtime interception by way of platform agent hooks. Pre-call checkpoints on each software name. Detect outgoing information transfers to unauthorized locations.
Assessment all Agentforce automations triggered by publishing types. As an interim management, allow human interplay for exterior communications. Audit CRM information entry scope by agent. Stress Salesforce on CVE allocations.
Multi-turn crescendo — distributed payload, every flip appears superb
Stateless monitoring inspects every flip individually. WAF, DLP, and exercise logs present particular person requests quite than semantic trajectories.
Stateful runtime evaluation tracks the entire dialog historical past throughout turns. High quality-tuned SLM evaluates aggregated context. Detects when cumulative sequences violate coverage.
Stateful monitoring is required for all manufacturing brokers. Provides a crescendo assault state of affairs to Purple Group workout routines.
Coding agent — unnamed platform, reminiscence poisoning + code execution
The MCP server injects code and directions into the agent context. Reminiscence poisoning persists throughout classes. Guardrails are inferred by the brokers themselves. Shadow AI insiders paste their very own code into the general public LLM.
Pre-call checkpoints on each software name. A fine-tuned SLM detects anomalous software utilization at runtime.
Stock all coding agent deployments throughout engineering. Audit your MCP server configuration. Limit code execution privileges. Monitor shadow installations.
Structural gaps — brokers with non-public information + untrusted enter + exterior communication
Posture administration tells you what ought to occur. What occurred does not cease. Brokers use much more privileges and far sooner than people.
The runtime guardian agent displays all actions in actual time. Intent-based enforcement replaces signature detection. Make the most of vendor agent hooks quite than proxies or gateways.
Classify all brokers primarily based on three deadly exposures. Deal with immediate injection as a class-based SaaS danger. Brokers transferring into manufacturing require runtime safety. Clarify company dangers to the board as enterprise dangers.
What this implies for safety planning in 2026
Microsoft’s CVE project will speed up or fragment the best way the business offers with agent vulnerabilities. If the seller calls them configuration points, the CISO bears the only danger.
Deal with immediate injection as a class-level SaaS danger quite than a separate CVE. Classify all agent deployments towards three vital elements. Runtime enforcement is required for something transferring into manufacturing. McGladry describes agent danger in the best way he frames it as enterprise danger, as a result of the second brokers begin working at machine velocity, cybersecurity danger as a separate class turns into ineffective.
