At Salesforce, trust is our #1 value. We understand that our customers’ success depends on the security of their data. That’s why in addition to our ongoing internal security assessments, we continuously invest in rigorous security research through external initiatives, leading to continued proactive product improvements. Today, we are sharing insights from a recent collaboration, offering a closer look at how we’re working to protect your Salesforce environment.
Spotlight on innovation: Our partnership in security research
To gain deeper insights into our platform’s security, we collaborate with research-driven groups like AppOmni, a provider of SaaS security solutions. This initiative combined AppOmni’s specialized research insights with Salesforce’s deep platform expertise, providing a valuable external perspective. Through a focused security evaluation of our OmniStudio product, AppOmni identified opportunities to enhance configurations. In partnership, we conducted a comprehensive analysis to assess the relevance of these findings, and Salesforce successfully implemented improvements tailored to our environment.
Investing in your security: Product improvements now available
Complementing our ongoing internal security audits, this research provided an additional layer of insight, directly informing our ongoing investment in fundamental product improvements. By incorporating AppOmni’s findings, our engineering teams further refined and enhanced the security and reliability of OmniStudio. These improvements are now available to customers:
- Enhanced data masking for encrypted fields: AppOmni’s research uncovered a specific scenario involving OmniStudio FlexCards and the ComponentController Apex class where, under certain configurations, encrypted data could potentially be displayed in plaintext to users who did not possess the ‘View Encrypted Data’ permission. In response to this finding, we’ve implemented robust enhancements to ensure that encrypted data is consistently and appropriately masked for all users. Viewing this data requires a specific grant of the ‘View Encrypted Data’ permission, ensuring access is intentional and auditable. This proactive improvement significantly strengthens the confidentiality and integrity of your sensitive data within OmniStudio. For the published CVE, please refer to CVE-2025-43700.
- Strengthened protection for custom settings from guest users: Under specific configurations of FlexCard SOQL datasources, or through the ComponentController Apex class, Guest Users could potentially bypass existing platform-level security measures designed to prevent access to Custom Settings. Since Custom Settings often contain sensitive information, this presented a risk of unintended information disclosure to unauthenticated users. We promptly addressed this by reinforcing the security mechanisms within OmniStudio. Guest Users are now consistently prevented from accessing Custom Settings values, thereby safeguarding your sensitive data stored in these settings from unauthorized access. For the published CVE, please refer to CVE-2025-43701.
- SOQL data source circumvents field-level security: The SOQL data source within FlexCards bypassed standard Salesforce Field-Level Security (FLS) during data retrieval. Consequently, users could gain access to field values even without explicit FLS permissions, potentially leading to the disclosure of sensitive information to unintended parties. This circumvention of a fundamental security control is particularly concerning when considering other potential vulnerabilities, such as access control bypasses and the exposure of encrypted data. We have addressed this by ensuring the SOQL data source now respects and enforces Field-Level Security, thereby preventing unauthorized access to sensitive fields and strengthening data protection within OmniStudio. For the published CVE, please refer to CVE-2025-43698.
- Unintended plaintext exposure via data mappers: AppOmni’s research identified that ‘Extract’ and ‘Turbo Extract’ Data Mappers could inadvertently expose plaintext values of Classic Encrypted fields without requiring the user executing the DataMapper to possess the ‘View Encrypted Data’ permission. This circumvented the intended access controls for encrypted data and occurred by default unless a specific configuration setting was enabled to prevent it. We have addressed this by ensuring DataMappers now respect the ‘View Encrypted Data’ permission and are also reinforcing the importance of enabling FLS checks. For the published CVE, please refer to CVE-2025-43697.
- Enhanced permission validation for flexcards: AppOmni identified that the ‘Required Permission’ field, intended to restrict access to certain OmniStudio FlexCards, performed its validation client-side. This meant that while the permission check was effective when FlexCards were executed through the user interface, it could be bypassed if a FlexCard was invoked directly (e.g., via an API or background process), potentially allowing unauthorized users to gain access to sensitive data. We have addressed this by implementing robust server-side permission validation for the ‘Required Permission’ field. This ensures consistent and secure access control, preventing unauthorized execution of restricted FlexCards and protecting sensitive information regardless of how the FlexCard is invoked. For the published CVE, please refer to CVE-2025-43699.
Looking ahead: Our ongoing commitment to your security
We are always nurturing a wide range of research perspectives through initiatives like our Bug Bounty program and other collaborative partnerships to ensure Salesforce maintains the highest standards of platform security. We believe that industry participation through transparent insights helps build trusted relationships with our customers, and we look forward to sharing more with our security community.
Salesforce’s Security Research Programs
Learn how we collaborate with our customers, partners, and industry
