Artificial Intelligence

Google Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations

The “Rogue Agent” vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same Google Cloud project.

The "Rogue Agent" vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same Google Cloud project.

A vulnerability in Google Cloud’s Dialogflow CX service could have allowed attackers to silently control agents, manipulate conversations, and exfiltrate sensitive information, Varonis reports.

Dialogflow CX is an enterprise-grade conversational AI platform that allows organizations to build complex virtual agents and chatbots for customer support, financial services, healthcare assistance, and sensitive data-handling workflows within enterprise environments.

For user conversation workflows, Dialogflow CX relies on Playbooks, which offer Code Blocks, to support embedding custom Python logic into conversation flows, enabling agents to process user input, call APIs, and manipulate data.

Code Blocks are executed within an environment controlled by Google, namely the Cloud Run service. Cloud Run instances can initiate outbound connections to the internet and communicate across data perimeters.

“Here lies the critical design detail — all Dialogflow agents that use Code Blocks in the same GCP project effectively share the same Cloud Run execution environment, which is managed by Google and is outside the victim’s scope,” says Varonis, which named the vulnerability Rogue Agent.

Varonis discovered that, within a Cloud Run instance with public access, a write-enabled file system, and running under a user with the ability to modify system files, when the permission to configure Code Blocks was enabled, it was possible to modify a key file responsible for executing Code Blocks using Python’s exec() function.

Advertisement. Scroll to continue reading.

Since there were no restrictions to run arbitrary Python code, the key file could be overwritten to implement malicious code that could provide access to user conversations and could allow Code Blocks pipeline interference and workflow manipulation.

“Because the injected Code Block is executed in the same scope inside exec(), attackers could reference these variables directly. This meant full visibility into ongoing conversations and the ability to hijack sessions or impersonate legitimate flows,” Varonis explains.

An attacker could also call internal functions to force the agent to return specific strings, enabling conversation manipulation that could lead to phishing and social engineering attacks.

By modifying the key file, an attacker could exfiltrate user conversations, inject phishing prompts disguised as legitimate reauthentication requests, and deploy a persistent logic to modify the file for every user. The modification did not appear in logs, making the attack completely invisible.

“The result? Attackers could silently take control of every agent in the same GCP project, manipulate conversations, and exfiltrate sensitive data without detection. For organizations relying on Dialogflow CX for customer interactions, this flaw represented a catastrophic breach of trust, all from a single, overlooked permission on a single agent,” Varonis notes.

The cybersecurity firm also discovered that it could establish a bidirectional communication channel to an external server, bypassing VPC Service Controls (used to enforce data perimeters), and that the Instance Metadata Service (IMDS) within the Cloud Run environment could be targeted to retrieve access tokens for a Google-managed service account.

Varonis reported the vulnerability to Google Cloud in November 2025. An initial patch was rolled out in April, with a complete fix deployed in June.

Related: How to Conduct a Successful Audit of AI-Driven Software Development

Related: Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors

Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws

Related: ‘BioShocking’ Attack Tricks AI Browsers Into Stealing Credentials

Related Content

Vulnerabilities

The privilege escalation vulnerability tracked as CVE-2026-50656 has been patched with a Microsoft Malware Protection Engine update.

Artificial Intelligence

Wiz has disclosed the details of a new AI coding assistant attack method it has dubbed GhostApproval.

Vulnerabilities

The security refresh resolves 13 use-after-free bugs, including two critical-severity flaws found by Google.

Vulnerabilities

Tracked as CVE-2026-11405, the vulnerability allows unauthenticated attackers to access a device's web management interface.

Artificial Intelligence

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

Vulnerabilities

Attackers are exploiting the critical Gitea vulnerability CVE-2026-20896 to bypass authentication with a single HTTP header and access vulnerable repositories and secrets.

Artificial Intelligence

The audits are reportedly being spearheaded by CISA’s Attack Surface Evaluation team, a specialized unit tasked with conducting digital defense assessments and simulated hacking...

Vulnerabilities

Hackers are exploiting a recently patched critical vulnerability (CVE-2026-48282) in Adobe ColdFusion that carries a CVSS score of 10/10.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version