Researcher Finds Google Dialogflow CX Flaw Opened Door to Agent Hijacking

Google patched a flaw in Dialogflow CX that allowed an attacker with edit permissions on one chatbot to hijack others in the same cloud project.

CSBadmin
2 Min Read

The Rogue Agent Vulnerability

A security researcher at Varonis discovered a critical flaw in Google’s Dialogflow CX platform, named Rogue Agent. The vulnerability allowed an attacker with edit rights on one chatbot agent to compromise other agents within the same Google Cloud project. From this foothold, an attacker could read live conversations, steal user data, and force the chatbot to send attacker-written messages, such as prompts to re-enter a password. The attack required the dialogflow.playbooks.update permission, meaning the realistic threat actor was a malicious insider or someone with a compromised developer account, not an unauthenticated remote attacker.

The Shared Runtime Exploit

The flaw existed because Dialogflow’s Code Blocks feature places developer Python code into a shared, Google managed Cloud Run environment. Varonis found that a critical file within this shared environment was writable. A Code Block could be used to download a modified version of that file, effectively replacing it for every other agent sharing the environment. This allowed the malicious code to read all conversations, exfiltrate data, and impersonate the chatbot. The researcher also discovered that the environment had unrestricted outbound internet access, bypassing VPC Service Controls, and exposed the Instance Metadata Service. Google fixed the flaw in June 2026, and no evidence suggests it was exploited in real attacks.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
Follow:
The latest in cybersecurity news and updates.