Microsoft Addresses CVE-2026-21520 Vulnerability in Copilot Studio
Microsoft has identified and addressed CVE-2026-21520, a CVSS 7.5 indirect prompt injection vulnerability in Copilot Studio. The flaw was discovered by Capsule Security and disclosed to Microsoft, leading to a patch deployment on January 15. The public disclosure of the vulnerability took place on Wednesday.
While the focus is on fixing the vulnerability, the significance of CVE-2026-21520 lies in the implications it carries. Microsoft’s decision to assign a CVE to a prompt injection vulnerability in an agentic platform is considered “highly unusual” based on Capsule’s research. This move suggests that vulnerabilities in agent-building platforms are now being acknowledged and addressed. The precedent set by assigning CVE-2026-21520 may mean that enterprises running agents need to pay closer attention to this new class of vulnerabilities that cannot be completely mitigated through patches alone.
In addition to the Copilot Studio vulnerability, Capsule Security also discovered a similar vulnerability named PipeLeak in Salesforce Agentforce. While Microsoft promptly patched and assigned a CVE to this issue, Salesforce has not assigned a CVE or issued a public advisory for PipeLeak at the time of publication.
Understanding the ShareLeak Vulnerability
The ShareLeak vulnerability exploits a gap between a SharePoint form submission and the Copilot Studio agent’s context window. By injecting a crafted payload into a public-facing comment field, an attacker can manipulate the agent’s system instructions. This manipulation can lead to unauthorized access to customer data stored in connected SharePoint Lists, which is then sent to the attacker via Outlook. The attack is classified as low complexity and does not require special privileges.
During testing, Microsoft’s security mechanisms flagged the suspicious activity, but the data was still exfiltrated. The attack bypassed Data Loss Prevention (DLP) measures by using a legitimate Outlook action, tricking the system into treating the operation as authorized.
The architectural flaw behind ShareLeak was highlighted by Carter Rees, VP of Artificial Intelligence at Reputation, who described it as an inherent inability of the system to differentiate between trusted instructions and untrusted data. This confusion allows attackers to manipulate agent actions, a pattern classified by OWASP as ASI01: Agent Goal Hijack.
Capsule Security discovered the ShareLeak vulnerability on November 24, 2025, with Microsoft confirming and patching it by January 15, 2026. Organizations using Copilot Studio agents triggered by SharePoint forms are advised to conduct thorough audits to detect any signs of compromise.
Addressing PipeLeak and Salesforce’s Response
PipeLeak, a vulnerability similar to ShareLeak, was found in Salesforce Agentforce by Capsule Security. This vulnerability allowed unauthorized access to CRM data without authentication, with no indication to the user that data was being exfiltrated. While Microsoft promptly addressed ShareLeak, Salesforce has yet to assign a CVE or release a public advisory for PipeLeak.
Capsule Security’s CEO, Naor Paz, emphasized the lack of limitations on data exfiltration through PipeLeak, highlighting the need for effective mitigation strategies. Salesforce’s recommendation of human-in-the-loop validation was deemed insufficient by Paz, who argued that true agent autonomy should not rely on constant human intervention.
Both ShareLeak and PipeLeak vulnerabilities underscore the need for robust security measures in agentic systems. The patching mindset alone may not be enough to combat these evolving threats, as highlighted by Elia Zaitsev, CrowdStrike’s CTO. Zaitsev emphasized the importance of runtime security and observing actual agent actions to prevent malicious intent.
Conclusion
The vulnerabilities discovered in Copilot Studio and Agentforce serve as a wake-up call for organizations relying on agentic platforms. The evolving threat landscape calls for a shift towards runtime enforcement and intent-based security measures. By understanding and addressing these vulnerabilities proactively, organizations can better protect their data and operations in an increasingly complex digital environment.
