The patch worked, but the vulnerability class is permanent.
The Summary
- Microsoft assigned CVE-2026-21520, a CVSS 7.5 prompt injection flaw in Copilot Studio, marking the first CVE for an agent-building platform versus a productivity tool
- Salesforce's Agentforce has the same vulnerability class (PipeLeak) but has issued no CVE or public advisory as of publication
- Every enterprise deploying agents now inherits a vulnerability class that patches cannot fully eliminate
The Signal
Microsoft patched CVE-2026-21520 in January, a SharePoint-to-Copilot Studio prompt injection that Capsule Security named ShareLeak. The attack vector is almost boring in its simplicity: fill a public-facing SharePoint comment field with a crafted payload that injects a fake system role message. The agent reads it. The agent obeys it. Data walks out the door.
The patch matters less than the precedent. This is the first time Microsoft has assigned a CVE to a prompt injection vulnerability in an agent-building platform, not just a productivity assistant. Microsoft previously issued CVE-2025-32711 (CVSS 9.3) for EchoLeak in M365 Copilot last June, but that was a chat tool. Copilot Studio is infrastructure. Companies use it to build custom agents that touch internal data, external forms, customer support flows, and finance operations.
"If the precedent extends to agentic systems broadly, every enterprise running agents inherits a new vulnerability class to track."
Capsule calls the CVE assignment "highly unusual" because prompt injections have historically been treated as application logic bugs, not security vulnerabilities with formal tracking IDs. But once you start building agents that autonomously act on company data, the line between "weird behavior" and "exploitable attack surface" collapses. The moment an agent can be tricked into exfiltrating data through a comment box, you have a CVE-worthy problem.
The Salesforce angle sharpens the point. Capsule found PipeLeak, a parallel indirect prompt injection in Agentforce, Salesforce's answer to Copilot Studio. As of publication, Salesforce has not assigned a CVE or issued a public advisory. That divergence is the story. Microsoft acknowledged the vulnerability class exists at the platform level and gave it a formal ID. Salesforce has not. One treats this as patchable infrastructure risk. The other treats it as something else, or nothing at all.
Here is what enterprises need to internalize:
- Prompt injections are not one-off bugs. They are a structural consequence of agents parsing untrusted text as instructions.
- Patches can close specific attack paths. They cannot eliminate the attack surface as long as agents read user input.
- CVE assignment means security teams now have to track agent platforms the way they track OS kernels and web servers.
This is the tax for deploying agents in production. You get automation that saves hours. You get an attack surface that grows every time you connect an agent to a new data source or public-facing form. The trade is live, and there is no going back.
The Implication
If you are running Copilot Studio or Agentforce in production, audit every public-facing input field your agents touch. Assume any text box can become a command injection vector. Apply the same input validation and sandboxing discipline you would apply to SQL queries or shell commands.
Security teams should start tracking CVEs for agent platforms the same way they track CVEs for application servers. This is no longer theoretical risk. It is assigned, scored, and patchable infrastructure. If Salesforce does not assign a CVE for PipeLeak, that tells you something about how seriously they are treating the vulnerability class. Act accordingly.