Critical Vulnerability in GCP Dialogflow Allows Attackers to Inject Malicious Code

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A critical vulnerability in Google Cloud Platform’s Dialogflow CX that lets attackers inject persistent malicious code into an organization’s AI-powered chatbot pipeline.

The flaw, dubbed “Rogue Agent,” disclosed by Varonis Threat Labs, could silently exfiltrate conversations and enable large-scale phishing campaigns, requiring only a single edit permission to trigger.

The exploit abused Playbook Code Blocks, a Dialogflow CX feature that lets developers embed custom Python logic to process user input and call external APIs within a Google-managed execution environment.

GCP Dialogflow Vulnerability

All agents using Code Blocks in the same GCP project share the same Cloud Run execution environment, and researchers found that a key file, code_execution_env.py, which runs Code Block logic via Python’s exec() function, was writable and lacked code restrictions.

By overwriting this file, an attacker gained access to shared session variables like conversation history and could hijack every agent’s execution scope on the project.

Only the dialogflow.playbooks.update permission, which can be scoped to a single agent, was needed to configure Code Blocks and thereby execute arbitrary Python.

Attackers could exfiltrate conversation data to external servers, impersonate the agent’s legitimate responses using internal functions like respond(), and inject phishing prompts disguised as reauthentication requests to steal user credentials.

Once the malicious code was persisted, attackers could restore the original-looking configuration in the console, making the compromise invisible in Cloud Logging.

Varonis uncovered two compounding issues that amplified the risk:

  • VPC-SC bypass: Cloud Run’s unrestricted outbound internet access let attackers turn the execution environment into a covert data-exfiltration proxy, even when VPC Service Controls were enforced on the agent.
  • IMDS credential leakage: Exposure of the Instance Metadata Service allowed retrieval of access tokens tied to a Google-managed service account, violating isolation principles despite the account’s low privileges.
Rogue Agent (Source: Varonis)

Varonis reported the vulnerability to Google in November 2025; Google shipped an initial fix in April 2026 and fully resolved the issue by June 2026, with no known in-the-wild exploitation before the patch.

Rogue Agent joins a growing list of AI-platform vulnerabilities Varonis has responsibly disclosed, following Reprompt in Microsoft Copilot Personal and SearchLeak in Microsoft Copilot Enterprise, the latter patched as CVE-2026-42824 with a maximum critical severity rating.

This pattern reflects a broader trend, with roughly 80% of Fortune 500 companies now actively using AI agents, expanding the potential attack surface across cloud platforms.

Google and Varonis recommend organizations that used Dialogflow CX with Playbook Code Blocks before the patch take the following steps:

  • Enable DATA_WRITE audit logs for the Dialogflow API and review past playbook update events for anomalies.
  • Correlate suspicious updates with rare API access, unusual IP addresses, or atypical access times.
  • Query Cloud Logging for failed requests and inspect protoPayload.status.message for exceptions tied to malicious Code Block logic.
  • Manually review each agent’s Playbooks in the Dialogflow CX console to confirm only whitelisted Code Blocks are configured.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide