VYPR
advisoryPublished Jul 7, 2026· 2 sources

Critical 'Rogue Agent' Vulnerability in Google Cloud Dialogflow CX Allowed Persistent Code Injection

A critical vulnerability dubbed 'Rogue Agent' in Google Cloud Dialogflow CX allowed attackers to inject persistent malicious Python code into AI chatbots, potentially exfiltrating conversations and enabling phishing attacks.

Google Cloud Platform's Dialogflow CX, a service for building AI-powered chatbots, was found to be vulnerable to a critical flaw named 'Rogue Agent'. This vulnerability, disclosed by Varonis Threat Labs, allowed attackers with a single edit permission to inject persistent malicious Python code into an organization's AI chatbot pipeline. The implications were severe, including the silent exfiltration of sensitive conversation data and the enablement of large-scale phishing campaigns.

The exploit leveraged Dialogflow CX's Playbook Code Blocks feature, which allows developers to embed custom Python logic for processing user input and interacting with external APIs within a Google-managed environment. Researchers discovered that a key file, code_execution_env.py, responsible for executing this custom code via Python's exec() function, was writable and lacked sufficient restrictions. By overwriting this file, an attacker could gain control over the shared session variables, including conversation history, and hijack the execution scope of every agent within the same GCP project.

Crucially, only the dialogflow.playbooks.update permission was required to exploit this vulnerability. This permission could be scoped to a single agent, making it easier for attackers to gain a foothold. Once control was established, attackers could exfiltrate conversation data to external servers, impersonate the chatbot's legitimate responses using internal functions like respond(), and even inject phishing prompts disguised as reauthentication requests to steal user credentials.

Adding to the severity, the malicious code could persist without detection. Attackers could restore the original-looking configuration within the Dialogflow CX console, effectively hiding their malicious activities from standard Cloud Logging audits. This made post-compromise detection extremely challenging.

The vulnerability was further amplified by two compounding issues. Firstly, Cloud Run's unrestricted outbound internet access allowed attackers to use the execution environment as a covert data exfiltration proxy, bypassing even enforced VPC Service Controls. Secondly, the exposure of the Instance Metadata Service enabled the retrieval of access tokens tied to a Google-managed service account, violating isolation principles despite the account's limited privileges.

Varonis initially reported the vulnerability to Google in November 2025. Google responded by shipping an initial fix in April 2026 and fully resolving the issue by June 2026. Fortunately, there was no known exploitation of this vulnerability in the wild prior to the patch being deployed.

The 'Rogue Agent' vulnerability follows a pattern of security issues discovered in AI platforms, including previous disclosures by Varonis in Microsoft Copilot. With approximately 80% of Fortune 500 companies now utilizing AI agents, the attack surface for such platforms is rapidly expanding, underscoring the need for robust security measures.

Google and Varonis recommend that organizations using Dialogflow CX with Playbook Code Blocks prior to the patch take immediate steps. These include enabling DATA_WRITE audit logs for the Dialogflow API, reviewing past playbook update events for anomalies, correlating suspicious updates with unusual API access patterns, and manually verifying each agent's Playbooks in the console to ensure only whitelisted code blocks are configured.

This new report clarifies that the 'Rogue Agent' vulnerability in Google Dialogflow CX specifically allowed attackers with edit rights on one agent to compromise other agents within the same Google Cloud project. The potential impact includes reading live conversations, stealing user data, and sending malicious messages, such as fake credential re-entry prompts.

Synthesized by Vypr AI