ForcedLeak: What Salesforce Agentforce's CVSS 9.4 Exploit Reveals About AI Agent Governance

On September 25, 2025, Noma Security publicly disclosed ForcedLeak: a CVSS 9.4 vulnerability chain in Salesforce Agentforce that let an external attacker — using nothing but a public Web-to-Lead form and a $5 domain purchase — exfiltrate sensitive CRM data from any Salesforce organization running Agentforce. The attack required zero interaction from the victim. It left no obvious trail before Salesforce's patch. And it worked because the governance layer that should have sat between the agent's intent and its actions didn't exist. Salesforce acted responsibly: they received Noma's report on July 28, 2025, implemented Trusted URLs Enforcement for Agentforce and Einstein AI on September 8, and allowed public disclosure on September 25. The patching timeline was reasonable. What the incident reveals isn't a failure of Salesforce's security team — it's a structural demonstration of what happens when an agentic system has broad tool access, processes untrusted input, and has no runtime enfo