A recently identified vulnerability within Google Cloud’s Dialogflow CX platform posed significant security risks by potentially allowing attackers to manipulate AI-driven conversations and access sensitive information, according to a report by Varonis.
Understanding Dialogflow CX
Dialogflow CX is a comprehensive conversational AI solution used by enterprises to create sophisticated virtual agents and chatbots. These tools are deployed across various sectors, including customer support and healthcare, to handle sensitive data and enhance customer interaction workflows.
The platform utilizes Playbooks, which contain Code Blocks, to integrate custom Python logic into conversation flows. This feature helps agents process user inputs, interface with APIs, and manage data more effectively.
Security Risks and Exploits
The execution of Code Blocks occurs in an environment managed by Google, specifically through the Cloud Run service. This setup allows for outbound internet connections and inter-data perimeter communication, which presented a crucial security flaw.
Varonis identified that all Dialogflow agents utilizing Code Blocks within the same Google Cloud Platform (GCP) project shared the same execution environment. This configuration, termed ‘Rogue Agent’ by Varonis, permitted attackers to modify key files within the environment due to unrestricted permission settings.
Without proper restrictions on running arbitrary Python code, malicious actors could alter these files, gaining access to user interactions and interfering with conversation workflows. This vulnerability allowed attackers to hijack sessions, impersonate legitimate flows, and exfiltrate sensitive data stealthily.
Implications and Google’s Response
The exploitation of this vulnerability enabled attackers to manipulate conversations to potentially conduct phishing and social engineering attacks. By altering key files, they could inject deceitful prompts and maintain persistent control over the agents without leaving traces in system logs.
Varonis revealed that the flaw also enabled the establishment of communication channels to external servers, bypassing Virtual Private Cloud (VPC) Service Controls intended to protect data perimeters. Additionally, the Instance Metadata Service (IMDS) could be targeted to obtain access tokens for Google-managed service accounts.
Upon discovery, Varonis promptly reported the issue to Google Cloud in November 2025. Google initiated an initial patch in April, with a complete resolution implemented by June.
This vulnerability highlighted a severe trust breach for organizations utilizing Dialogflow CX for customer interactions, emphasizing the need for robust security measures in AI-driven services.
