AGENTFORCE-31.1 ยท Autonomous Without-Sharing Escalation (Deep Graph)
๐ Enterprise Tier ยท ๐ด Critical ยท Category: Graph: Privilege Escalation Path
Detection Logicโ
Detects the cross-boundary privilege escalation path that emerges when a guest-accessible agent topic chains through a system-mode Flow into a without-sharing Apex class.
graph LR
AGENT["Agent"]
TOPIC["AgentTopic\n[guestAccess=true]"]
ACTION["ActionDef"]
FLOW["Flow\n[runInMode=SystemModeWithoutSharing]"]
APEX["ApexClass\n[without sharing]"]
AGENT -->|CONTAINS| TOPIC
TOPIC -->|CONTAINS| ACTION
ACTION -->|TARGETS| FLOW
FLOW -->|INVOKES| APEX
APEX -->|"โ ๏ธ org-wide data access"| APEX
What Triggers Itโ
| Hop | Condition |
|---|---|
| 1 | AgentTopic with guestAccess: true or exposedToProfile containing "Guest" |
| 2 | ActionDef contained within the topic (CONTAINS edge) |
| 3 | ActionDef targets a Flow with runInMode: SystemModeWithoutSharing |
| 4 | Flow invokes (or references) an ApexClass with hasWithoutSharing: true |
Why Standard Rules Miss Thisโ
- AGENTFORCE-1.3 detects single-hop:
GenAiFunc โ ApexClass[system]โ misses Flow intermediary. - AGENTFORCE-5.1 detects:
Flow[SystemMode]โ but doesn't cross to Apex or trace back to guest topic. - This rule proves the full 4-hop chain from guest access boundary to org-wide data exposure.
Remediationโ
- Change Flow
runInModefromSystemModeWithoutSharingโDefaultModeorUserOrSystemMode. - Change Apex class from
without sharingโwith sharing. - Restrict the agent topic to authenticated profiles โ remove guest/community access.
- If system mode is required for legitimate reasons, add compensating controls (field-level masking, record-level filtering) within the with-sharing wrapper.