Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

Google Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations

The “Rogue Agent” vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same Google Cloud project.

A vulnerability in Google Cloud’s Dialogflow CX service could have allowed attackers to silently control agents, manipulate conversations, and exfiltrate sensitive information, Varonis reports.

Dialogflow CX is an enterprise-grade conversational AI platform that allows organizations to build complex virtual agents and chatbots for customer support, financial services, healthcare assistance, and sensitive data-handling workflows within enterprise environments.

For user conversation workflows, Dialogflow CX relies on Playbooks, which offer Code Blocks, to support embedding custom Python logic into conversation flows, enabling agents to process user input, call APIs, and manipulate data.

Code Blocks are executed within an environment controlled by Google, namely the Cloud Run service. Cloud Run instances can initiate outbound connections to the internet and communicate across data perimeters.

“Here lies the critical design detail — all Dialogflow agents that use Code Blocks in the same GCP project effectively share the same Cloud Run execution environment, which is managed by Google and is outside the victim’s scope,” says Varonis, which named the vulnerability Rogue Agent.

Varonis discovered that, within a Cloud Run instance with public access, a write-enabled file system, and running under a user with the ability to modify system files, when the permission to configure Code Blocks was enabled, it was possible to modify a key file responsible for executing Code Blocks using Python’s exec() function.

Advertisement. Scroll to continue reading.

Since there were no restrictions to run arbitrary Python code, the key file could be overwritten to implement malicious code that could provide access to user conversations and could allow Code Blocks pipeline interference and workflow manipulation.

“Because the injected Code Block is executed in the same scope inside exec(), attackers could reference these variables directly. This meant full visibility into ongoing conversations and the ability to hijack sessions or impersonate legitimate flows,” Varonis explains.

An attacker could also call internal functions to force the agent to return specific strings, enabling conversation manipulation that could lead to phishing and social engineering attacks.

By modifying the key file, an attacker could exfiltrate user conversations, inject phishing prompts disguised as legitimate reauthentication requests, and deploy a persistent logic to modify the file for every user. The modification did not appear in logs, making the attack completely invisible.

“The result? Attackers could silently take control of every agent in the same GCP project, manipulate conversations, and exfiltrate sensitive data without detection. For organizations relying on Dialogflow CX for customer interactions, this flaw represented a catastrophic breach of trust, all from a single, overlooked permission on a single agent,” Varonis notes.

The cybersecurity firm also discovered that it could establish a bidirectional communication channel to an external server, bypassing VPC Service Controls (used to enforce data perimeters), and that the Instance Metadata Service (IMDS) within the Cloud Run environment could be targeted to retrieve access tokens for a Google-managed service account.

Varonis reported the vulnerability to Google Cloud in November 2025. An initial patch was rolled out in April, with a complete fix deployed in June.

Related: How to Conduct a Successful Audit of AI-Driven Software Development

Related: Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors

Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws

Related: ‘BioShocking’ Attack Tricks AI Browsers Into Stealing Credentials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.