Microsoft’s Unusual CVE Assignment to Copilot Studio
Recently, Microsoft assigned CVE-2026-21520, a CVSS 7.5 indirect prompt injection vulnerability, to Copilot Studio. This flaw was discovered by Capsule Security, who coordinated disclosure with Microsoft. The patch for this vulnerability was deployed on January 15, with public disclosure following shortly after.
While the CVE itself is significant, the real importance lies in what it signifies. Capsule’s research highlighted that Microsoft assigning a CVE to a prompt injection vulnerability in an agentic platform is highly unusual. Previously, Microsoft had assigned CVE-2025-32711 (CVSS 9.3) to EchoLeak, a prompt injection in M365 Copilot. However, this targeted a productivity assistant, not an agent-building platform. This new CVE suggests that every enterprise running agents now inherits a new vulnerability class to track, one that cannot be fully eliminated by patches alone.
Capsule also uncovered another vulnerability named PipeLeak, a parallel indirect prompt injection vulnerability in Salesforce Agentforce. Microsoft patched this vulnerability and assigned it a CVE. However, Salesforce has not yet assigned a CVE or issued a public advisory for PipeLeak at the time of publication.
The Exploitation of ShareLeak
The researchers identified ShareLeak as a vulnerability that exploits the gap between a SharePoint form submission and the Copilot Studio agent’s context window. Attackers can inject a crafted payload into a public-facing comment field, which then injects a fake system role message. In testing, Capsule found that Copilot Studio concatenated the malicious input directly with the agent’s system instructions without any input sanitization, allowing the injected payload to override the agent’s original instructions. This directed the agent to query connected SharePoint Lists for customer data and send that data via Outlook to an attacker-controlled email address. The attack was classified as low complexity by NVD and required no special privileges.
During testing, Microsoft’s safety mechanisms flagged the suspicious request, but the data was still exfiltrated. The Data Loss Prevention (DLP) system did not trigger because the email was routed through a legitimate Outlook action, which the system treated as an authorized operation.
Carter Rees, VP of Artificial Intelligence at Reputation, described the architectural failure in an exclusive interview, highlighting how the Lack of Least Privilege (LLM) cannot inherently distinguish between trusted instructions and untrusted retrieved data, making it susceptible to attacks like ASI01: Agent Goal Hijack, as classified by OWASP.
The research team at Capsule Security discovered the vulnerability in Copilot Studio on November 24, 2025. After confirmation by Microsoft on December 5, the patch was deployed on January 15, 2026. Security directors utilizing Copilot Studio agents triggered by SharePoint forms are advised to conduct audits to identify any compromise indicators.
PipeLeak and Salesforce’s Response
Similarly, PipeLeak exploited the same vulnerability class, allowing a public lead form payload to hijack an Agentforce agent without requiring authentication. Capsule’s testing revealed no volume cap on the exfiltrated CRM data, and the employee triggering the agent received no indication that data had been sent externally. While Salesforce patched a similar vulnerability named ForcedLeak disclosed by Noma Labs in September 2025 by enforcing Trusted URL allowlists, PipeLeak survived this patch through a different channel: email via the agent’s authorized tool actions.
Naor Paz, CEO of Capsule Security, emphasized the lack of exfiltration limits during their testing. He highlighted the need for a human-in-the-loop mitigation strategy, as recommended by Salesforce, but raised concerns about the effectiveness of such an approach in practice.
Microsoft patched ShareLeak and assigned a CVE, while Salesforce has yet to address the email channel vulnerability highlighted by Capsule’s research.
Kayne McGladrey, IEEE Senior Member, pointed out that organizations often replicate human user accounts in agentic systems, granting agents more permissions than humans due to their speed, scale, and intent.
The Threefold Challenge and the Limitations of Posture Management
Paz identified the structural condition that renders any agent exploitable: access to private data, exposure to untrusted content, and the ability to communicate externally. Both ShareLeak and PipeLeak exploited all three aspects, showcasing the inherent risks associated with production agents.
Rees echoed this sentiment, noting that traditional defense-in-depth strategies relying on deterministic rules are insufficient for agentic systems. Elia Zaitsev, CrowdStrike’s CTO, highlighted the vulnerability of the patching mindset itself, emphasizing the importance of runtime security in detecting actual kinetic actions.
The Rise of Multi-Turn Attacks and the Blind Spot in Coding Agents
Capsule’s research uncovered multi-turn crescendo attacks, where adversaries distribute payloads across multiple benign-looking turns to evade detection. Rees explained that current monitoring mechanisms often fail to detect such attacks due to their stateless nature, viewing each turn in isolation.
Additionally, Capsule identified undisclosed vulnerabilities in coding agent platforms, including memory poisoning and malicious code execution. Rees highlighted the human factor in these vulnerabilities, where employees inadvertently introduce security risks by pasting proprietary code into public platforms.
McGladrey emphasized the governance failure in addressing these vulnerabilities, pointing out that cybersecurity risk cannot be viewed in isolation from broader technological and organizational challenges.
The Evolution of Runtime Enforcement Models
To address these challenges, Capsule has developed an architecture that deploys fine-tuned small language models to evaluate every tool call before execution. This approach, known as a “guardian agent,” aims to provide real-time monitoring and enforcement of agentic actions.
Zaitsev, however, questioned the efficacy of intent-based analysis, suggesting that observing actual actions taken by agents is a more reliable approach. Microsoft’s Copilot Studio documentation offers external security-provider webhooks to approve or block tool execution, providing a multi-layered security approach.
Ultimately, the runtime enforcement model, which combines intent analysis, kinetic action monitoring, and foundational controls, is crucial for mitigating the risks associated with agentic systems. Security Operations Center (SOC) teams are advised to map telemetry data from various sources to detect and respond to potential threats.
Conclusion
As we look ahead to 2026, the security landscape is evolving rapidly, with new vulnerabilities and threats emerging in agentic systems. Microsoft’s recent CVE assignment to Copilot Studio underscores the importance of addressing prompt injection vulnerabilities in these platforms. Organizations must adopt a class-based approach to SaaS risk management, focusing on the inherent risks posed by agents’ access to private data, exposure to untrusted content, and external communication capabilities.
By implementing runtime enforcement models and integrating fine-tuned language models, organizations can enhance their security posture and mitigate the risks associated with agentic systems. It is essential for security leaders to stay vigilant, conduct regular audits, and educate their teams on the evolving threat landscape to safeguard their digital assets effectively.
Be the first to comment