Google Patched Dialogflow CX Rogue Agent Flaw That Could Have Hijacked AI Chatbots


Google has patched a serious Dialogflow CX vulnerability that could have allowed an attacker with limited edit access to inject malicious code into AI chatbot workflows and monitor user conversations.

The flaw, named Rogue Agent by Varonis Threat Labs, affected organizations that used Dialogflow CX Playbooks with custom Code Blocks. It was not an unauthenticated internet attack, but it showed how one compromised developer account or insider permission could become a much larger AI security problem.

According to Axios, Google said the underlying issue has been fully mitigated and that it has no known indication of customer compromise. Varonis also said it is not aware of exploitation in the wild before the patch.

What happened in Dialogflow CX

Dialogflow CX is Google Cloud’s platform for building conversational agents, including customer support chatbots and voice assistants. Its Playbooks feature helps developers guide an agent through tasks, while Google’s Code Blocks documentation describes Code Blocks as inline Python code that can help control agent behavior.

Varonis found that Code Blocks ran inside a Google-managed Cloud Run environment. The key problem was that multiple Dialogflow agents using Code Blocks in the same Google Cloud project shared the same execution environment.

The researchers also found that a file called code_execution_env.py was writable. That file helped execute Code Block logic through Python’s exec() function. By overwriting it, an attacker could persist malicious logic inside the shared runtime.

AreaDetails
Affected productGoogle Cloud Dialogflow CX agents using Playbooks with Code Blocks
Research nameRogue Agent
Required accessdialogflow.playbooks.update permission on one agent
Main riskConversation monitoring, data exfiltration, chatbot impersonation, and phishing prompts
StatusGoogle issued an initial update in April 2026 and fully resolved the issue in June 2026

How Rogue Agent could have worked

The attack relied on a permission that may look narrow at first. The dialogflow.playbooks.update permission can be scoped to one agent, but Varonis found that it could still allow a user to configure Code Blocks and execute arbitrary Python inside the shared environment.

Once inside that environment, malicious code could access session-related variables, including conversation history and state data. Varonis said the code could also call internal functions such as respond(), which could make the chatbot send attacker-controlled messages that looked like normal agent responses.

The same Rogue Agent report said an attacker could restore the visible Code Block configuration afterward, while the overwritten runtime file continued operating in the background. That made the compromise harder for customers to detect from the console.

  • Read live or recent chatbot conversations
  • Send conversation data to an external server
  • Impersonate normal chatbot responses
  • Display fake reauthentication messages to collect credentials
  • Affect other Code Block-enabled agents in the same Google Cloud project

Why the shared runtime increased the risk

The most important finding was not simply that custom Python could run. Code Blocks are meant to support custom logic, and Google’s Code Blocks page explains that developers can use inline Python functions when defining a playbook.

The risk came from how that code was isolated. Varonis said all agents using Code Blocks in the same project effectively shared one Google-managed execution environment, which customers could not directly inspect or control.

Two related issues made the impact worse. First, the Cloud Run environment had outbound internet access, which could have turned it into a covert data exfiltration path. Second, researchers said the Instance Metadata Service was reachable, allowing retrieval of access tokens tied to a low-privileged Google-managed service account.

WeaknessSecurity impact
Writable runtime fileAllowed persistent malicious code inside the Code Block execution pipeline
Shared execution environmentAllowed one affected agent to influence other Code Block-enabled agents in the same project
Outbound internet accessCreated a possible path for data exfiltration outside expected controls
IMDS exposureExposed low-privilege Google-managed service account tokens inside the runtime

What Google and customers said about the patch

Varonis reported the vulnerability to Google in November 2025 through Google’s Vulnerability Reward Program. Google shipped an initial security update in April 2026 and fully resolved the issue in June 2026.

In a statement reported by Axios, Google Cloud said it appreciated Varonis’ responsible disclosure, fully mitigated the issue, and had no known indication of customer compromise. Google also said no customer action is required for the fix itself.

Rogue Agent

However, organizations that used Dialogflow CX Playbooks with Code Blocks before the fix may still want to review their environments. That is especially important for companies that use chatbots for customer support, banking, healthcare, insurance, retail, or internal workflows that process sensitive data.

How teams can check for suspicious activity

Security teams should start by reviewing who has or had permission to update Dialogflow playbooks. Any account with dialogflow.playbooks.update should be treated as having access to code-execution behavior, not only chatbot content editing.

Google’s Dialogflow CX audit logging documentation says Data Access audit logs include data read and data write operations, but Data Access logs must be explicitly enabled. That detail matters because some older suspicious activity may not exist in logs if the right logging category was not active at the time.

Varonis recommends reviewing DATA_WRITE audit logs for Dialogflow API activity, looking for unusual playbook update events, and correlating them with rare users, unfamiliar IP addresses, or unusual access times. Teams should also inspect failed requests and review protoPayload.status.message for exceptions that may point to malicious Code Block behavior.

  • Check which users and service accounts can update Dialogflow playbooks
  • Review historical playbook update events where DATA_WRITE audit logs are available
  • Compare suspicious updates with login time, IP address, and user behavior
  • Search Cloud Logging for failed Dialogflow requests linked to Code Block exceptions
  • Manually review each Playbook and confirm that only approved Code Blocks remain

Why Rogue Agent matters for AI security

Rogue Agent stands out because it did not depend on fooling a chatbot with a prompt. It abused a normal developer feature and a shared runtime behind that feature. In practice, it turned a limited editing permission into a potential execution and surveillance path.

The issue also lands at a time when enterprise AI agents are moving quickly into production. Microsoft’s Cyber Pulse AI security report says over 80% of Fortune 500 companies are deploying active agents built with low-code or no-code tools.

That growth makes permissions, runtime isolation, logging, and agent visibility more important. The same Microsoft report recommends applying Zero Trust principles to AI agents, including least privilege, explicit verification, and an assumption that compromise can occur.

Bottom line

Google has fixed the Dialogflow CX Rogue Agent issue, and there is no known evidence of customer compromise. Even so, the case gives cloud and AI teams a clear warning: chatbot editing rights can carry more risk than they appear to carry.

Organizations should treat AI agent configuration, Code Blocks, service accounts, and runtime permissions as security-sensitive assets. They should also confirm that Dialogflow CX audit logging is enabled where needed, because strong logs may be the only practical way to investigate past activity after a managed service has already been patched.

FAQ

What is the Dialogflow CX Rogue Agent vulnerability?

Rogue Agent is the name Varonis gave to a patched Dialogflow CX vulnerability that could have allowed an attacker with playbook update permission to inject persistent malicious code into Code Block-enabled chatbot workflows.

Was the Dialogflow CX vulnerability exploited in the wild?

Varonis said it is not aware of exploitation in the wild before Google’s patch. Google also said it has no known indication of customer compromise.

Who was at risk from Rogue Agent?

The risk applied to organizations that used Dialogflow CX Playbooks with Code Blocks before Google fully resolved the issue. The attack required dialogflow.playbooks.update permission on at least one agent, so it was more realistic for a compromised developer account or malicious insider than for an unauthenticated remote attacker.

What data could attackers have accessed?

Attackers could have accessed chatbot conversation history and session-related data available inside the Code Block execution scope. They could also have manipulated chatbot replies and created phishing-style prompts to collect sensitive information from users.

What should Dialogflow CX customers do now?

Google says the underlying issue has been mitigated, but teams that used Code Blocks before the fix should review playbook update permissions, check DATA_WRITE audit logs where available, look for unusual playbook updates, and manually confirm that current Code Blocks are approved.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages