Experts say they were able to create a rogue agent in Google’s AI platform with just a single edit permission
Vulnerability in Google Cloud Dialogflow CX
Experts say they were able to create a rogue agent in Google’s AI platform with just a single edit permission. One compromised agent could take over every other agent in that project, leading to chat logs access, and even data exfiltration.
Varonis uncovered CVE‑level flaws in Google Cloud Dialogflow CX, where malicious Code Blocks in Playbooks could hijack agents, exfiltrate chat logs, and steal credentials. The shared Cloud Run environment with excess privileges meant one compromised agent could control all others in a project, with attacks virtually undetectable in Cloud Logging.
Google patched the issue between April–June 2026; researchers advise reviewing audit logs, checking anomalous errors, and manually inspecting Code Blocks for unauthorized code.
Discovery and Impact
Researchers recently found a critical vulnerability in Google Cloud’s Dialogflow CX, allowing threat actors to take over different AI agents, access chat logs, and even exfiltrate sensitive data such as login credentials.
Dialogflow CX is Google Cloud’s conversational AI platform used to build many voice and text chatbots. This platform lets developers add Code Blocks, which are custom Python snippets, into conversation "Playbooks". These blocks all execute inside a single Google-managed Cloud Run service, shared across all agents in a Google Cloud Platform project.
Security researchers Varonis said they discovered a critical vulnerability in which the theoretical attacker didn’t need broad admin access. With permission to edit a single chatbot’s settings, they would be able to plant malicious code relatively easily.
The Cloud Run environment had no code restrictions, Varonis further explained, but had a writable filesystem, public internet egress, and ran with excess privileges. Key files could have been overwritten entirely, it was added.
Attack Capabilities
As a result, the attacker had access to full conversation history and session state. They could call internal functions and fake LLM-generated replies which, they claim, could lead to phishing and credential theft.
Since the environment is shared per-project, one compromised agent could take over every other agent in that project, and since Cloud Logging doesn’t capture the file overwrite or injected logic, the attack would be "virtually undetectable."
Remediation and Recommendations
Varonis reported the issue to Google in November 2025, and the latter came back with an initial fix in April 2026. However, the issue had not been fully resolved until June 2026.
In the report, the researchers said there is no evidence of in-the-wild exploitation attempts and advises customers to:
- Review
DATA_WRITEaudit logs forPlaybooks.UpdatePlaybookcalls - Check for anomalous
Sessions.DetectIntenterrors - Manually inspect each agent's Code Blocks for leftover unauthorized code
Comments
No comments yet. Start the discussion.