A vulnerability in Google Cloud’s Dialogflow CX service could have allowed attackers to silently control agents, manipulate conversations, and exfiltrate sensitive information, Varonis reports.
Dialogflow CX is an enterprise-grade conversational AI platform that allows organizations to build complex virtual agents and chatbots for customer support, financial services, healthcare assistance, and sensitive data-handling workflows within enterprise environments.
For user conversation workflows, Dialogflow CX relies on Playbooks, which offer Code Blocks, to support embedding custom Python logic into conversation flows, enabling agents to process user input, call APIs, and manipulate data.
Code Blocks are executed within an environment controlled by Google, namely the Cloud Run service. Cloud Run instances can initiate outbound connections to the internet and communicate across data perimeters.
“Here lies the critical design detail — all Dialogflow agents that use Code Blocks in the same GCP project effectively share the same Cloud Run execution environment, which is managed by Google and is outside the victim’s scope,” says Varonis, which named the vulnerability Rogue Agent.
Varonis discovered that, within a Cloud Run instance with public access, a write-enabled file system, and running under a user with the ability to modify system files, when the permission to configure Code Blocks was enabled, it was possible to modify a key file responsible for executing Code Blocks using Python’s exec() function.
Since there were no restrictions to run arbitrary Python code, the key file could be overwritten to implement malicious code that could provide access to user conversations and could allow Code Blocks pipeline interference and workflow manipulation.
“Because the injected Code Block is executed in the same scope inside exec(), attackers could reference these variables directly. This meant full visibility into ongoing conversations and the ability to hijack sessions or impersonate legitimate flows,” Varonis explains.
An attacker could also call internal functions to force the agent to return specific strings, enabling conversation manipulation that could lead to phishing and social engineering attacks.
By modifying the key file, an attacker could exfiltrate user conversations, inject phishing prompts disguised as legitimate reauthentication requests, and deploy a persistent logic to modify the file for every user. The modification did not appear in logs, making the attack completely invisible.
“The result? Attackers could silently take control of every agent in the same GCP project, manipulate conversations, and exfiltrate sensitive data without detection. For organizations relying on Dialogflow CX for customer interactions, this flaw represented a catastrophic breach of trust, all from a single, overlooked permission on a single agent,” Varonis notes.
The cybersecurity firm also discovered that it could establish a bidirectional communication channel to an external server, bypassing VPC Service Controls (used to enforce data perimeters), and that the Instance Metadata Service (IMDS) within the Cloud Run environment could be targeted to retrieve access tokens for a Google-managed service account.
Varonis reported the vulnerability to Google Cloud in November 2025. An initial patch was rolled out in April, with a complete fix deployed in June.
Related: How to Conduct a Successful Audit of AI-Driven Software Development
Related: Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors
Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws
Related: ‘BioShocking’ Attack Tricks AI Browsers Into Stealing Credentials
