The Rogue Agent Vulnerability
A security researcher at Varonis discovered a critical flaw in Google’s Dialogflow CX platform, named Rogue Agent. The vulnerability allowed an attacker with edit rights on one chatbot agent to compromise other agents within the same Google Cloud project. From this foothold, an attacker could read live conversations, steal user data, and force the chatbot to send attacker-written messages, such as prompts to re-enter a password. The attack required the dialogflow.playbooks.update permission, meaning the realistic threat actor was a malicious insider or someone with a compromised developer account, not an unauthenticated remote attacker.
The Shared Runtime Exploit
The flaw existed because Dialogflow’s Code Blocks feature places developer Python code into a shared, Google managed Cloud Run environment. Varonis found that a critical file within this shared environment was writable. A Code Block could be used to download a modified version of that file, effectively replacing it for every other agent sharing the environment. This allowed the malicious code to read all conversations, exfiltrate data, and impersonate the chatbot. The researcher also discovered that the environment had unrestricted outbound internet access, bypassing VPC Service Controls, and exposed the Instance Metadata Service. Google fixed the flaw in June 2026, and no evidence suggests it was exploited in real attacks.
Source: The Hacker News
