2 Sources
[1]
Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots
A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password. Security firm Varonis found it and named it Rogue Agent. The flaw affected only organizations that built agents with Dialogflow's Playbooks and custom Code Blocks, which let developers add their own Python. And it was not a remote, unauthenticated attack. Pulling it off needed the dialogflow.playbooks.update permission on one such agent, which limits the realistic attacker to a malicious insider or a compromised developer account, not a stranger on the internet. From that one foothold, though, the reach extended to every agent in the project. Google has fixed it, and both Varonis and Google say there is no sign the flaw was ever used in a real attack. One writable file ran every agent's Code Blocks Dialogflow's Code Blocks let developers add custom Python to a chatbot's conversation flow to check input, control behavior, and invoke defined tools. That code runs in a Google-managed Cloud Run environment, and every agent that uses Code Blocks in the same Google Cloud project shares one instance of it. Google runs that environment, the customer cannot see or control it, and Varonis found no real isolation between the agents inside it. When an agent runs a Code Block, the developer's code is appended to internal setup code and passed to Python's exec() function. That setup code defines the variables and functions the block can touch. Variables include history for the full conversation and state for session details like the session ID. Functions include respond(), which makes the bot reply with a given string. Varonis found the file that does this wrapping, code_execution_env.py, sitting in the shared environment with write access. Because that file was writable, a single Code Block could replace it. That block downloads a modified code_execution_env.py from an attacker-controlled server and overwrites the original inside the running container. From then on, the attacker's version runs for every Code Block execution across every agent sharing that environment. It sits in the same scope as legitimate code, with the same access to history, state, and respond(). That lets it read each conversation, quietly send it to the attacker's server, and make the bot post attacker-written messages. One example is phishing: the bot asks the user to re-verify a login, and the attacker collects whatever they type. To cover the tracks, the attacker restores the original Code Block in the Dialogflow console. That changes only what the console displays; the overwritten file is already running in the container and keeps executing underneath. The sandbox leaked two more ways Varonis reported two related issues, and neither needed the file overwrite. First, the Code Block environment had unrestricted outbound internet access. Using the built-in urllib library, the researchers sent data straight to an external server and could receive commands back. Varonis says this bypasses VPC Service Controls, the Google Cloud perimeter meant to stop data from leaving protected services. The environment sits outside that perimeter and can reach the open internet, which turns it into a channel for both data theft and remote control. Second, and less serious, the environment exposed the Instance Metadata Service (IMDS), a normally internal endpoint that hands out cloud credentials. Querying it returned a token for a Google-managed service account. That account was low-privilege, so the direct risk was limited; the real point is that a code-execution sandbox should not be able to reach IMDS at all. Almost nothing reached the logs The overwrite happened inside Google's environment, where customers have no visibility, and Cloud Logging did not record the file change or the injected code. That makes it hard, though not impossible, to catch from the customer side. The setup actions still leave traces, which the checks below rely on. Varonis disclosed the flaw through Google's Vulnerability Reward Program in November 2025. Google shipped an initial fix in April 2026 and fully resolved it in June 2026, about seven months from report to resolution. No CVE was assigned. What to check if you used Code Blocks If you ran Dialogflow CX agents with Code Block Playbooks before the fix and want to confirm you were not targeted, start with access. The dialogflow.playbooks.update permission is the whole entry point, so audit which roles and accounts hold it. Then: * Review your DATA_WRITE audit logs for the Dialogflow API for unexpected playbook updates, and correlate them with unusual users, IP addresses, or access times. * Run a Cloud Logging query for failed user requests, where the error messages can reveal exceptions thrown by malicious Code Blocks. * In the Dialogflow console, open Playbooks for each agent and confirm every Code Block is one you approved. A different kind of AI flaw Many recent AI security flaws have worked by fooling the model. Varonis's own Reprompt and SearchLeak turned a single click into data theft in Microsoft's Copilot. Noma Security's ForcedLeak hid instructions in a Salesforce web form to pull out CRM data. Microsoft's researchers showed prompt injection turning into code execution in the Semantic Kernel framework. Rogue Agent did not touch the model at all. It abused a normal developer feature and a shared, invisible runtime, reachable with one ordinary edit permission. In a setup like this, a permission that looks like a content-edit right is actually a code-execution right. Anyone who can add a Code Block can run arbitrary Python inside a shared environment that the customer cannot inspect. Treat agent-edit permissions as the runtime controls they are. Even when the provider says nothing needs fixing, customers still have no way to look inside that runtime themselves.
[2]
Exclusive: Researchers uncover Google AI chatbot security flaw
Why it matters: Companies are increasingly relying on AI chatbots to handle customer service, health care and financial interactions -- making flaws in these systems rich targets for attackers. Driving the news: Varonis found a critical vulnerability in Google's Dialogflow CX platform, which companies use to build AI-powered customer service chatbots and voice assistants. * The service is widely used to power customer support chats, financial services bots and health care assistants. * Varonis researchers found that someone who compromised one chatbot could silently monitor conversations, impersonate the bot and, in some cases, interfere with other AI chatbots running in the same Google Cloud project. Threat level: Users could have been tricked into sharing passwords, insurance information or financial data that attackers could then use in future cyberattacks, Matthew Radolec, field CTO at Varonis, told Axios. * Varonis initially discovered the issue in November, and Google issued a security patch last month. Google did not respond to a request for comment. Yes, but: Varonis said it found no evidence the vulnerability had been exploited in the wild before it was patched. * "We appreciate the efforts of researchers like Varonis who disclose their findings through our Vulnerability Reward Program," a Google Cloud spokesperson told Axios in a statement. "The underlying issue has been fully mitigated, and we have no known indication of customer compromise. No customer action is required." Between the lines: Radolec argues AI tools are being adopted faster than technology companies can fully secure them. * "This whole concept of 'zero trust' architecture is supposed to be leading the charge in cloud and AI, and this is a case where that was overlooked," he said. The bottom line: As companies rush to deploy AI, security teams should verify that AI tools are properly isolated and routinely check for exposed credentials.
Share
Copy Link
Security firm Varonis discovered a critical security vulnerability in Google Dialogflow CX that could have let attackers compromise AI chatbots across entire Google Cloud projects. The Rogue Agent flaw allowed malicious insiders to read live conversations, steal sensitive user data, and send phishing requests. Google patched the vulnerability in June 2026 with no evidence of real-world exploitation.
Security firm Varonis has uncovered a critical security vulnerability in Google Dialogflow CX that could have allowed attackers to hijack AI chatbots handling customer service, healthcare, and financial interactions
1
. The Rogue Agent flaw, disclosed through Google's Vulnerability Reward Program in November 2025, enabled someone with edit rights on one Code Block-enabled agent to compromise AI chatbots across an entire Google Cloud project2
. Google issued an initial fix in April 2026 and fully resolved the issue in June 2026, approximately seven months from initial report to complete resolution1
.The vulnerability affected organizations that built agents using Dialogflow's Playbooks and custom Code Blocks, which allow developers to add their own Python code to chatbot conversation flows
1
. While not a remote, unauthenticated attack, the flaw could be exploited by malicious insiders or compromised developer accounts holding the dialogflow.playbooks.update permission. From that single foothold, attackers could extend their reach to every agent sharing the same execution environment.
Source: Axios
The Google AI chatbot security flaw stemmed from a fundamental isolation problem in how Dialogflow CX handles Code Blocks. Every agent using Code Blocks within the same Google Cloud project shares one instance of a Google-managed Cloud Run environment
1
. Varonis researchers discovered that a critical file called code_execution_env.py, which wraps developer code before execution, sat in this shared environment with write access.Attackers could exploit this design flaw by creating a malicious Code Block that downloads a modified version of code_execution_env.py from an attacker-controlled server and overwrites the original inside the running container
1
. Once replaced, the attacker's version executes for every Code Block across every agent sharing that environment, granting access to conversation history, session details, and the respond() function that controls bot replies. This positioned attackers to read each conversation, quietly exfiltrate data to external servers, and make bots post attacker-written messages, including phishing requests asking users to re-verify logins1
.
Source: Hacker News
Varonis reported two related issues that compounded the risk. First, the Code Block execution environment had unrestricted outbound internet access, allowing attackers to use Python's built-in urllib library to send data directly to external servers and receive commands back
1
. This capability bypasses VPC Service Controls, the Google Cloud perimeter designed to prevent data theft by stopping information from leaving protected services. The environment's position outside this perimeter transformed it into a channel for both data exfiltration and remote control.Second, the environment exposed the Instance Metadata Service (IMDS), an internal endpoint that distributes cloud credentials
1
. While the returned token belonged to a low-privilege Google-managed service account, limiting direct risk, the mere accessibility of IMDS from a code-execution sandbox represents a security design failure. Compounding detection challenges, the file overwrite occurred inside Google's environment where customers have no visibility, and Cloud Logging failed to record the file change or injected code1
.Related Stories
Matthew Radolec, field CTO at Varonis, told Axios that users could have been tricked into sharing passwords, insurance information, or financial data that attackers could leverage in future cyberattacks
2
. The vulnerability carries particular weight because companies increasingly rely on AI chatbots to handle sensitive customer service, healthcare, and financial interactions, making flaws in these systems attractive targets for attackers2
.Radolec argues that AI tools are being adopted faster than technology companies can fully secure them, pointing to this case as an example where zero trust architecture principles were overlooked
2
. Both Varonis and Google confirm there is no evidence the vulnerability was exploited in the wild before it was patched [1](https://thehackernews.com/2026/07/ rogue-agent-flaw-could-have-let.html)2
. A Google Cloud spokesperson stated that the underlying issue has been fully mitigated with no known indication of customer compromise, and no customer action is required2
.For organizations that ran Dialogflow CX agents with Code Block Playbooks before the fix, Varonis recommends auditing which roles and accounts hold the dialogflow.playbooks.update permission, as this represents the entire entry point for the attack
1
. Security teams should review DATA_WRITE audit logs for the Dialogflow API for unexpected playbook updates and correlate them with unusual users, IP addresses, or access times. As companies rush to deploy AI capabilities, security teams should verify that AI tools maintain proper isolation and routinely check for exposed credentials to prevent similar vulnerabilities from emerging2
.Summarized by
Navi
08 Aug 2025•Technology

30 Mar 2026•Technology

08 Jan 2026•Technology

1
Policy and Regulation

2
Policy and Regulation

3
Policy and Regulation
