A critical vulnerability in Google Cloud Platform’s Dialogflow CX, named “Rogue Agent,” allows attackers to inject persistent malicious code into an organization’s AI chatbot pipeline. The flaw, disclosed by Varonis Threat Labs, requires only a single edit permission to exploit. It could be used to silently exfiltrate conversations and launch large scale phishing campaigns.
How the Attack Works
The exploit targets Playbook Code Blocks, a Dialogflow CX feature that lets developers embed custom Python logic. All agents using Code Blocks in the same GCP project share a common Cloud Run execution environment. Researchers discovered that a key file, code_execution_env.py, was writable and lacked code restrictions. By overwriting this file, an attacker gained access to shared session variables, including conversation history, effectively hijacking every agent’s execution scope in the project.
Impact and Scope
Attackers could exfiltrate conversation data to external servers, impersonate legitimate agent responses, and inject phishing prompts disguised as reauthentication requests to steal user credentials. The malicious code could be persisted while restoring the original configuration in the console, making the compromise invisible in Cloud Logging. Varonis reported the vulnerability to Google in November 2025, with Google shipping an initial fix in April 2026 and fully resolving the issue by June 2026. No known in the wild exploitation occurred before the patch.
Source: Cyber Security News
