Back to Feed
VulnerabilitiesJul 8, 2026

Google Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations

Google Dialogflow CX 'Rogue Agent' vulnerability allowed attackers to hijack AI conversations and exfiltrate data

Summary

A critical vulnerability in Google Cloud's Dialogflow CX service, dubbed 'Rogue Agent', could have enabled attackers with Code Block configuration permissions to modify execution files and inject malicious Python code. This would have allowed silent manipulation of all AI conversations, data exfiltration, and hijacking of every Dialogflow CX agent within the same Google Cloud project. Google patched the vulnerability in April 2025 with a complete fix deployed in June 2025, following Varonis's November 2025 disclosure.

Full text

A vulnerability in Google Cloud’s Dialogflow CX service could have allowed attackers to silently control agents, manipulate conversations, and exfiltrate sensitive information, Varonis reports. Dialogflow CX is an enterprise-grade conversational AI platform that allows organizations to build complex virtual agents and chatbots for customer support, financial services, healthcare assistance, and sensitive data-handling workflows within enterprise environments. For user conversation workflows, Dialogflow CX relies on Playbooks, which offer Code Blocks, to support embedding custom Python logic into conversation flows, enabling agents to process user input, call APIs, and manipulate data. Code Blocks are executed within an environment controlled by Google, namely the Cloud Run service. Cloud Run instances can initiate outbound connections to the internet and communicate across data perimeters. “Here lies the critical design detail — all Dialogflow agents that use Code Blocks in the same GCP project effectively share the same Cloud Run execution environment, which is managed by Google and is outside the victim’s scope,” says Varonis, which named the vulnerability Rogue Agent. Varonis discovered that, within a Cloud Run instance with public access, a write-enabled file system, and running under a user with the ability to modify system files, when the permission to configure Code Blocks was enabled, it was possible to modify a key file responsible for executing Code Blocks using Python’s exec() function.Advertisement. Scroll to continue reading. Since there were no restrictions to run arbitrary Python code, the key file could be overwritten to implement malicious code that could provide access to user conversations and could allow Code Blocks pipeline interference and workflow manipulation. “Because the injected Code Block is executed in the same scope inside exec(), attackers could reference these variables directly. This meant full visibility into ongoing conversations and the ability to hijack sessions or impersonate legitimate flows,” Varonis explains. An attacker could also call internal functions to force the agent to return specific strings, enabling conversation manipulation that could lead to phishing and social engineering attacks. By modifying the key file, an attacker could exfiltrate user conversations, inject phishing prompts disguised as legitimate reauthentication requests, and deploy a persistent logic to modify the file for every user. The modification did not appear in logs, making the attack completely invisible. “The result? Attackers could silently take control of every agent in the same GCP project, manipulate conversations, and exfiltrate sensitive data without detection. For organizations relying on Dialogflow CX for customer interactions, this flaw represented a catastrophic breach of trust, all from a single, overlooked permission on a single agent,” Varonis notes. The cybersecurity firm also discovered that it could establish a bidirectional communication channel to an external server, bypassing VPC Service Controls (used to enforce data perimeters), and that the Instance Metadata Service (IMDS) within the Cloud Run environment could be targeted to retrieve access tokens for a Google-managed service account. Varonis reported the vulnerability to Google Cloud in November 2025. An initial patch was rolled out in April, with a complete fix deployed in June. Related: How to Conduct a Successful Audit of AI-Driven Software Development Related: Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws Related: ‘BioShocking’ Attack Tricks AI Browsers Into Stealing Credentials Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Linux Kernel Vulnerability Allows VM Escape on Intel and AMD SystemsBlogspot-Hosted Payloads Delivered in ‘Veil#Drop’ AttacksArmored Likho APT Targeting Government, Electric Power EntitiesNorth Korean Hackers Target Open Source Developers in Supply Chain Attacks Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million People Latest News Webinar Today: Why Email Security Keeps FailingCISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla FlawsCritical Vulnerability Exposes GitHub Agentic Workflows to Prompt InjectionCounty Government Reportedly Paid $1 Million to Cyber Extortion GroupCritical Gitea Flaw Under Active Exploitation, Researchers WarnCISA Reportedly Using Anthropic’s Mythos to Scan Government Software for FlawsCritical Adobe ColdFusion Vulnerability Exploited in AttacksIran-Linked Hackers Using Modular C&C Framework in Cyberattacks Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveSherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Entities

Google (vendor)Google Dialogflow CX (product)Google Cloud Run (product)VPC Service Controls (technology)Instance Metadata Service (technology)Varonis (product)