Security researchers expose critical flaw that could hijack Google Dialogflow CX chatbots

2 Sources

Share

Security firm Varonis discovered a critical security vulnerability in Google Dialogflow CX that could have let attackers compromise AI chatbots across entire Google Cloud projects. The Rogue Agent flaw allowed malicious insiders to read live conversations, steal sensitive user data, and send phishing requests. Google patched the vulnerability in June 2026 with no evidence of real-world exploitation.

Critical Security Vulnerability Discovered in Google Dialogflow CX

Security firm Varonis has uncovered a critical security vulnerability in Google Dialogflow CX that could have allowed attackers to hijack AI chatbots handling customer service, healthcare, and financial interactions

1

. The Rogue Agent flaw, disclosed through Google's Vulnerability Reward Program in November 2025, enabled someone with edit rights on one Code Block-enabled agent to compromise AI chatbots across an entire Google Cloud project

2

. Google issued an initial fix in April 2026 and fully resolved the issue in June 2026, approximately seven months from initial report to complete resolution

1

.

The vulnerability affected organizations that built agents using Dialogflow's Playbooks and custom Code Blocks, which allow developers to add their own Python code to chatbot conversation flows

1

. While not a remote, unauthenticated attack, the flaw could be exploited by malicious insiders or compromised developer accounts holding the dialogflow.playbooks.update permission. From that single foothold, attackers could extend their reach to every agent sharing the same execution environment.

Source: Axios

Source: Axios

How Attackers Could Hijack Google Dialogflow CX Chatbots

The Google AI chatbot security flaw stemmed from a fundamental isolation problem in how Dialogflow CX handles Code Blocks. Every agent using Code Blocks within the same Google Cloud project shares one instance of a Google-managed Cloud Run environment

1

. Varonis researchers discovered that a critical file called code_execution_env.py, which wraps developer code before execution, sat in this shared environment with write access.

Attackers could exploit this design flaw by creating a malicious Code Block that downloads a modified version of code_execution_env.py from an attacker-controlled server and overwrites the original inside the running container

1

. Once replaced, the attacker's version executes for every Code Block across every agent sharing that environment, granting access to conversation history, session details, and the respond() function that controls bot replies. This positioned attackers to read each conversation, quietly exfiltrate data to external servers, and make bots post attacker-written messages, including phishing requests asking users to re-verify logins

1

.

Source: Hacker News

Source: Hacker News

Additional Security Gaps Beyond the Rogue Agent Flaw

Varonis reported two related issues that compounded the risk. First, the Code Block execution environment had unrestricted outbound internet access, allowing attackers to use Python's built-in urllib library to send data directly to external servers and receive commands back

1

. This capability bypasses VPC Service Controls, the Google Cloud perimeter designed to prevent data theft by stopping information from leaving protected services. The environment's position outside this perimeter transformed it into a channel for both data exfiltration and remote control.

Second, the environment exposed the Instance Metadata Service (IMDS), an internal endpoint that distributes cloud credentials

1

. While the returned token belonged to a low-privilege Google-managed service account, limiting direct risk, the mere accessibility of IMDS from a code-execution sandbox represents a security design failure. Compounding detection challenges, the file overwrite occurred inside Google's environment where customers have no visibility, and Cloud Logging failed to record the file change or injected code

1

.

Why This Matters for AI Adoption and Security

Matthew Radolec, field CTO at Varonis, told Axios that users could have been tricked into sharing passwords, insurance information, or financial data that attackers could leverage in future cyberattacks

2

. The vulnerability carries particular weight because companies increasingly rely on AI chatbots to handle sensitive customer service, healthcare, and financial interactions, making flaws in these systems attractive targets for attackers

2

.

Radolec argues that AI tools are being adopted faster than technology companies can fully secure them, pointing to this case as an example where zero trust architecture principles were overlooked

2

. Both Varonis and Google confirm there is no evidence the vulnerability was exploited in the wild before it was patched [1](https://thehackernews.com/2026/07/ rogue-agent-flaw-could-have-let.html)

2

. A Google Cloud spokesperson stated that the underlying issue has been fully mitigated with no known indication of customer compromise, and no customer action is required

2

.

What Organizations Should Monitor Going Forward

For organizations that ran Dialogflow CX agents with Code Block Playbooks before the fix, Varonis recommends auditing which roles and accounts hold the dialogflow.playbooks.update permission, as this represents the entire entry point for the attack

1

. Security teams should review DATA_WRITE audit logs for the Dialogflow API for unexpected playbook updates and correlate them with unusual users, IP addresses, or access times. As companies rush to deploy AI capabilities, security teams should verify that AI tools maintain proper isolation and routinely check for exposed credentials to prevent similar vulnerabilities from emerging

2

.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved