Rogue Agent Vulnerability Hijacks Google Dialogflow Chatbots
A Single Key to the Kingdom
Granting edit permissions to a single chatbot proved to be the master key to an entire system. Specifically, the Rogue Agent vulnerability discovered within Google Dialogflow CX allowed a malicious actor with access to just one agent to seize control over all other agents utilizing code blocks within the identical Google Cloud project.
According to comprehensive research by Varonis, this critical security flaw impacted organizations that constructed conversational agents via Playbooks and integrated custom Python code. An entirely unauthenticated remote attack was fundamentally impossible. To exploit this weakness, an attacker strictly required the dialogflow.playbooks.update permission. Consequently, this vulnerability could only be leveraged by a malicious insider or an external threat actor who had successfully compromised a legitimate developer’s account credentials.
Exploiting the Shared Cloud Run Environment
Fundamentally, all agents operating with code blocks within a singular project shared a common Cloud Run execution environment. Security specialists identified a glaring vulnerability within this shared space: a world-writable file named code_execution_env.py, responsible for preparing and executing the code for every agent. A single maliciously crafted block could completely overwrite this critical file with a compromised version. Following this substitution, the modified code executed indiscriminately every time any connected chatbot initiated a code block.
Intercepting Conversations and Forging Responses
This unauthorized substitution granted total access to conversation histories, active session data, and the core function responsible for generating chatbot responses. In a controlled test demonstration, this mechanism permitted researchers to silently exfiltrate private chat transcripts to an external command-and-control server. Furthermore, it allowed the injection of malicious messages directly to end-users, such as sophisticated phishing requests demanding they re-enter sensitive passwords. Reverting the original block within the developer console failed to halt the attack, as the compromised Python file persisted actively inside the running container.
Silent Exfiltration and Remediation
Further analysis by Varonis revealed that this execution environment possessed unrestricted outbound internet access, enabling it to freely receive external commands. Additionally, these code blocks maintained access to the internal metadata service, although the service account token retrieved yielded limited privileges. The modification of the shared file and the subsequent execution of injected code barely registered in client logs, rendering detection exceptionally difficult. For a deep technical dive into this exploit chain, refer to the Varonis rogue agent dialogflow attack analysis.
Researchers initially disclosed this severe issue to Google in November 2025. The technology giant deployed a preliminary fix in April 2026, yet only achieved full remediation of the vulnerability by June. Interestingly, this flaw was never assigned a formal CVE identifier, and investigators found zero evidence of active exploitation in the wild.
Recommended Security Audits
Organizations that actively utilized Code Blocks prior to the final patch deployment must take immediate action. Security teams are strongly advised to audit all users possessing the dialogflow.playbooks.update permission. Furthermore, they must meticulously examine Playbooks modification logs, correlating any suspicious activities with specific users, IP addresses, and timestamps, while conducting a manual review of all code blocks within Dialogflow CX.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.