Critical "Rogue Agent" Vulnerability in Google Cloud’s Dialogflow CX Exposed AI Chatbots to Persistent Attacks
Security researchers at Varonis Threat Labs disclosed a severe vulnerability in Google Cloud Platform’s (GCP) Dialogflow CX, dubbed "Rogue Agent," which allowed attackers to inject malicious code into AI-powered chatbot pipelines with minimal permissions. The flaw, patched between April and June 2026, could enable large-scale data exfiltration and phishing campaigns while remaining undetected in standard logs.
How the Exploit Worked
The vulnerability stemmed from Playbook Code Blocks, a Dialogflow CX feature that lets developers embed custom Python logic within a Google-managed execution environment. Researchers found that:
- Shared execution environments: All agents in the same GCP project used the same Cloud Run instance, where a critical file (
code_execution_env.py) responsible for executing Python code viaexec()was writable and lacked restrictions. - Low-privilege access: Attackers only needed the
dialogflow.playbooks.updatepermission (scopable to a single agent) to overwrite the file, gaining control over shared session variables, including conversation history. - Persistent compromise: Malicious code could exfiltrate data, impersonate legitimate responses, and inject phishing prompts (e.g., fake reauthentication requests) without detection. Attackers could later restore the original configuration, erasing traces in Cloud Logging.
Amplified Risks
Two additional flaws worsened the impact:
- VPC Service Controls (VPC-SC) bypass: Cloud Run’s unrestricted outbound internet access allowed attackers to use the environment as a covert data-exfiltration proxy, even when VPC-SC was enforced.
- IMDS credential leakage: Exposure of the Instance Metadata Service (IMDS) enabled retrieval of Google-managed service account tokens, violating isolation principles despite their limited privileges.
Disclosure & Response
Varonis reported the vulnerability to Google in November 2025. Google deployed an initial fix in April 2026, with a full resolution by June 2026. No in-the-wild exploitation was confirmed before the patch.
Broader Context
"Rogue Agent" follows other AI-platform vulnerabilities disclosed by Varonis, including:
- Reprompt (Microsoft Copilot Personal)
- SearchLeak (Microsoft Copilot Enterprise, patched as CVE-2026-42824 with critical severity)
The incident underscores the expanding attack surface as 80% of Fortune 500 companies now use AI agents, increasing risks across cloud platforms. Organizations using Dialogflow CX with Playbook Code Blocks before the patch were advised to audit logs for anomalies, review configurations, and monitor for suspicious activity.
Source: https://cybersecuritynews.com/gcp-dialogflow-vulnerability/
Google Cloud cybersecurity rating report: https://www.rankiteo.com/company/google-cloud
Veraset cybersecurity rating report: https://www.rankiteo.com/company/veraset
"id": "GOOVER1783448669",
"linkid": "google-cloud, veraset",
"type": "Vulnerability",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Organizations using Dialogflow '
'CX with Playbook Code Blocks '
'before June 2026',
'industry': 'Technology, Cloud Computing, AI',
'location': 'Global',
'name': 'Google Cloud Platform (Dialogflow CX users)',
'size': 'Large (80% of Fortune 500 companies use AI '
'agents)',
'type': 'Cloud Service Provider / AI Platform'}],
'attack_vector': 'Playbook Code Blocks in Dialogflow CX',
'data_breach': {'data_exfiltration': 'Possible via Cloud Run outbound '
'internet access',
'personally_identifiable_information': 'Possible',
'sensitivity_of_data': 'High (if PII or business-sensitive '
'data was involved)',
'type_of_data_compromised': ['Conversation history',
'Session variables',
'Potentially sensitive user '
'data']},
'date_detected': '2025-11',
'date_publicly_disclosed': '2026-06',
'date_resolved': '2026-06',
'description': 'Security researchers at Varonis Threat Labs disclosed a '
'severe vulnerability in Google Cloud Platform’s (GCP) '
"Dialogflow CX, dubbed 'Rogue Agent,' which allowed attackers "
'to inject malicious code into AI-powered chatbot pipelines '
'with minimal permissions. The flaw could enable large-scale '
'data exfiltration and phishing campaigns while remaining '
'undetected in standard logs.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'AI-powered chatbot security',
'data_compromised': 'Conversation history, session variables, '
'potentially sensitive user data',
'identity_theft_risk': 'High (if PII was exposed)',
'operational_impact': 'Potential large-scale data exfiltration, '
'phishing campaigns, and undetected '
'malicious activity',
'systems_affected': 'Google Cloud Dialogflow CX with Playbook Code '
'Blocks enabled'},
'initial_access_broker': {'backdoors_established': 'Malicious code injection '
'into '
'`code_execution_env.py`',
'entry_point': 'Playbook Code Blocks (low-privilege '
'`dialogflow.playbooks.update` '
'permission)',
'high_value_targets': 'Shared session variables, '
'conversation history'},
'investigation_status': 'Resolved (no in-the-wild exploitation confirmed)',
'lessons_learned': 'The incident highlights the risks of shared execution '
'environments in AI platforms, the importance of '
'least-privilege access, and the need for robust logging '
'and monitoring to detect covert malicious activity.',
'post_incident_analysis': {'corrective_actions': ['Isolated execution '
'environments for Playbook '
'Code Blocks',
'Restricted write access to '
'critical files',
'Enhanced VPC-SC '
'enforcement',
'Protected IMDS '
'credentials'],
'root_causes': ['Shared execution environment with '
'writable `code_execution_env.py`',
'Lack of restrictions on `exec()` '
'usage',
'VPC Service Controls bypass via '
'Cloud Run outbound access',
'IMDS credential leakage']},
'recommendations': ['Audit Dialogflow CX configurations for Playbook Code '
'Blocks usage',
'Review logs for anomalies pre-June 2026',
'Enforce VPC Service Controls and restrict outbound '
'internet access',
'Monitor for suspicious activity in AI agent pipelines',
'Apply Google’s patches and follow their security '
'advisories'],
'references': [{'source': 'Varonis Threat Labs'}],
'response': {'communication_strategy': 'Public disclosure by Varonis, '
'advisory to affected organizations',
'containment_measures': 'Patch deployed by Google (April 2026 - '
'June 2026)',
'enhanced_monitoring': 'Recommended post-patch',
'recovery_measures': 'Audit logs for anomalies, review '
'configurations, monitor for suspicious '
'activity',
'remediation_measures': 'Restricted write access to '
'`code_execution_env.py`, isolated '
'execution environments, VPC-SC '
'enforcement, IMDS credential protection',
'third_party_assistance': 'Varonis Threat Labs (disclosure)'},
'stakeholder_advisories': 'Organizations using Dialogflow CX with Playbook '
'Code Blocks were advised to audit logs and review '
'configurations.',
'title': "Critical 'Rogue Agent' Vulnerability in Google Cloud’s Dialogflow "
'CX Exposed AI Chatbots to Persistent Attacks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CWE-94 (Code Injection), Shared Execution '
'Environment Misconfiguration, VPC Service '
'Controls Bypass, IMDS Credential Leakage'}