Dialogflow CX Flaw Enables Persistent Chatbot Injection Attacks

Researchers uncovered a Dialogflow CX vulnerability that lets attackers inject persistent malicious code, potentially exfiltrating conversations and enabling phishing campaigns.

CSBadmin
2 Min Read

A critical vulnerability in Google Cloud Platform’s Dialogflow CX, named “Rogue Agent,” allows attackers to inject persistent malicious code into an organization’s AI chatbot pipeline. The flaw, disclosed by Varonis Threat Labs, requires only a single edit permission to exploit. It could be used to silently exfiltrate conversations and launch large scale phishing campaigns.

How the Attack Works

The exploit targets Playbook Code Blocks, a Dialogflow CX feature that lets developers embed custom Python logic. All agents using Code Blocks in the same GCP project share a common Cloud Run execution environment. Researchers discovered that a key file, code_execution_env.py, was writable and lacked code restrictions. By overwriting this file, an attacker gained access to shared session variables, including conversation history, effectively hijacking every agent’s execution scope in the project.

Impact and Scope

Attackers could exfiltrate conversation data to external servers, impersonate legitimate agent responses, and inject phishing prompts disguised as reauthentication requests to steal user credentials. The malicious code could be persisted while restoring the original configuration in the console, making the compromise invisible in Cloud Logging. Varonis reported the vulnerability to Google in November 2025, with Google shipping an initial fix in April 2026 and fully resolving the issue by June 2026. No known in the wild exploitation occurred before the patch.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.