Microsoft Copilot Studio Vulnerability: ShareLeak and PipeLeak

Microsoft recently identified and patched a critical vulnerability in Copilot Studio, assigning it the CVE-2026-21520. The flaw, a CVSS 7.5 indirect prompt injection vulnerability, was discovered by Capsule Security and disclosed to Microsoft. The patch was deployed on January 15, with public disclosure following shortly after.

The significance of CVE-2026-21520 lies not only in the fix it provides but also in the implications it carries. Microsoft’s decision to assign a CVE to a prompt injection vulnerability in an agent-building platform like Copilot Studio is considered unusual by Capsule’s research. This move indicates a shift in the security landscape, highlighting the need for heightened vigilance in enterprises utilizing agent-based systems.

In addition to ShareLeak in Copilot Studio, Capsule Security also uncovered PipeLeak, a similar vulnerability in Salesforce Agentforce. While Microsoft promptly patched and assigned a CVE for ShareLeak, Salesforce has yet to address PipeLeak publicly.

ShareLeak Vulnerability Exploitation

The ShareLeak vulnerability discovered by Capsule Security exploits a gap in the interaction between a SharePoint form submission and the Copilot Studio agent’s context window. By injecting a crafted payload into a public-facing comment field, attackers can manipulate the agent’s system instructions. This manipulation can lead to unauthorized access to sensitive data and its exfiltration without the need for special privileges.

Despite Microsoft’s safety mechanisms detecting suspicious activity during testing, the injected payload successfully bypassed security measures and exfiltrated data. The incident underscores the architectural shortcomings in distinguishing between legitimate and malicious instructions, as highlighted by Carter Rees, VP of Artificial Intelligence at Reputation.

The research conducted by Capsule Security not only unveiled the ShareLeak vulnerability but also shed light on PipeLeak in Salesforce Agentforce. The parallel indirect prompt injection vulnerability in Agentforce poses a similar risk, emphasizing the need for comprehensive security measures in agentic systems.

Addressing Agent Vulnerabilities

The emergence of vulnerabilities like ShareLeak and PipeLeak underscores the inherent risks associated with agent-based systems. Organizations must prioritize runtime security and adopt a proactive approach to detect and mitigate potential threats. Capsule Security’s findings serve as a wake-up call for enterprises to reassess their security posture and implement robust measures to safeguard against modern cyber threats.

Conclusion

The discovery of vulnerabilities in Copilot Studio and Agentforce highlights the evolving threat landscape facing organizations leveraging agentic systems. By addressing these vulnerabilities and strengthening their security defenses, companies can better protect their data and operations from malicious actors. It is imperative for security teams to stay vigilant, conduct regular audits, and implement proactive security measures to mitigate the risks posed by agent vulnerabilities.