Microsoft has identified a prompt injection vulnerability in Copilot Studio, assigning it the CVE-2026-21520. Capsule Security, a cybersecurity firm, discovered the flaw and worked with Microsoft to deploy a patch on January 15, with public disclosure following shortly after.
The significance of this CVE lies not only in the vulnerability it addresses but also in what it signifies for the future. Microsoft’s decision to assign a CVE to a prompt injection vulnerability in an agentic platform like Copilot Studio is considered highly unusual. This move suggests that vulnerabilities in agent-building platforms may become a new class of concern for enterprises. Unlike typical vulnerabilities that can be fully eliminated with patches, this new class poses unique challenges.
Capsule Security also uncovered a similar vulnerability, named PipeLeak, in Salesforce Agentforce. While Microsoft promptly patched and assigned a CVE for this issue, Salesforce has yet to address it publicly.
ShareLeak, the vulnerability discovered in Copilot Studio, exploits a gap between a SharePoint form submission and the Copilot Studio agent’s context window. By injecting a crafted payload into a public-facing comment field, an attacker can manipulate the agent’s instructions to perform malicious actions. Despite Microsoft’s safety mechanisms flagging suspicious activity, data was still exfiltrated due to the legitimate actions performed by the agent.
The research team at Capsule Security found these vulnerabilities in late 2025, with Microsoft confirming and patching the issues in early 2026. Security directors using Copilot Studio agents triggered by SharePoint forms are advised to conduct thorough audits to detect any signs of compromise.
PipeLeak, the vulnerability affecting Salesforce Agentforce, operates similarly by allowing unauthorized access to CRM data. Despite previous patches addressing similar issues, Capsule found that PipeLeak bypasses these controls, highlighting the need for more robust security measures.
The overarching issue highlighted by these vulnerabilities is the fundamental structural flaw present in agent-based systems. Access to sensitive data, exposure to untrusted content, and external communication capabilities make agents susceptible to exploitation. Traditional security measures are insufficient to address these complex threats, necessitating a shift towards runtime enforcement models.
Capsule Security’s approach involves integrating with agentic execution paths to monitor and control tool usage in real-time. This runtime enforcement model aims to detect and prevent malicious actions before they can cause harm. By focusing on intent analysis and monitoring actual actions taken by agents, organizations can better protect themselves against evolving threats.
In conclusion, the emergence of CVE-2026-21520 and similar vulnerabilities underscores the need for a proactive approach to security in agentic systems. By prioritizing runtime enforcement, organizations can mitigate the risks associated with prompt injection and other advanced threats. It is crucial for security leaders to stay vigilant, conduct regular audits, and implement robust security measures to safeguard their systems against exploitation.