Google Cloud Platform’s (GCP) Dialogflow CX has been identified with a critical vulnerability known as ‘Rogue Agent.’ This flaw allows attackers to inject persistent malicious code into an organization’s AI-driven chatbot systems, posing significant security risks.
Understanding the Rogue Agent Flaw
Research by Varonis Threat Labs has brought to light this vulnerability, which can silently extract conversation data and facilitate extensive phishing operations. The core of the exploit lies in the Playbook Code Blocks, a feature designed for embedding custom Python logic to manage user inputs and interact with external APIs within a Google-managed execution environment.
All agents utilizing Code Blocks within the same GCP project share a common Cloud Run execution environment. Researchers found that the file code_execution_env.py, integral to executing Code Block logic via Python’s exec() function, was inadequately protected, allowing it to be overwritten by attackers. This exposure enables unauthorized access to session variables like conversation history and the capacity to hijack the execution scope of every agent within the project.
Exploitation and Security Risks
The attack requires only the dialogflow.playbooks.update permission, which can be limited to a single agent, to configure Code Blocks for arbitrary Python execution. Attackers could potentially exfiltrate conversation data to external servers, impersonate legitimate agent responses, and inject phishing prompts disguised as reauthentication requests to obtain user credentials.
Once embedded, the malicious code could be masked by restoring the appearance of legitimate configuration in the console, evading detection in Cloud Logging. Varonis identified two additional issues exacerbating the threat: unrestricted outbound internet access in Cloud Run, allowing the environment to be used as a covert data-exfiltration proxy, and the exposure of Instance Metadata Service, which could leak access tokens tied to a Google-managed service account.
Response and Recommendations
Google was alerted to the vulnerability in November 2025, with an initial fix released in April 2026, and a complete resolution by June 2026. Fortunately, there were no reported cases of exploitation in the wild prior to the patch. This incident adds to a series of AI platform vulnerabilities identified by Varonis, including issues in Microsoft Copilot.
To mitigate risks, Google and Varonis advise organizations using Dialogflow CX with Playbook Code Blocks to enable DATA_WRITE audit logs for the Dialogflow API, scrutinize past playbook update events, and correlate suspicious updates with unusual API access patterns. Additionally, querying Cloud Logging for failed requests and inspecting protoPayload.status.message for exceptions can help identify malicious Code Block logic. A thorough manual review of each agent’s Playbooks in the Dialogflow CX console is recommended to ensure only authorized Code Blocks are active.
As AI technologies become more prevalent, with around 80% of Fortune 500 companies deploying AI agents, the potential attack surface on cloud platforms expands, underscoring the necessity for vigilant security practices.
