TheVortiq
Inteligencia Artificial

A Vulnerability in Dialogflow CX Allowed Creating Malicious Agents in Google Cloud

Varonis researchers demonstrated how an attacker with only edit permissions could take control of all chatbots in a project

July 16, 2026 · 4 min read

red padlock on black computer keyboard

TL;DR: A vulnerability in Google Cloud Dialogflow CX, fixed in June 2026, allowed attackers with edit permission to inject malicious code into chatbots, access histories, and steal credentials. The attack was undetectable and could compromise all agents in a project.

What happened?

Security researchers at Varonis discovered a critical vulnerability in Google Cloud Dialogflow CX, Google's conversational AI platform. The flaw allowed an attacker with only edit permission on a chatbot (agent) to inject malicious code into the Code Blocks of Playbooks (conversation scripts). These Python code blocks run in a Cloud Run environment shared by all agents in the same Google Cloud Platform project. This environment lacked code restrictions, had a writable file system, access to the public internet, and excessive privileges. This allowed the attacker to overwrite key files, access the full conversation history and session state, call internal functions, and fake LLM-generated responses for phishing and credential theft. Moreover, because it was a shared environment, a single compromised agent could take control of all other agents in the project. The attacks were virtually undetectable because Cloud Logging did not capture file overwrites or injected logic.

According to Varonis's technical report (published on their blog on June 24, 2026), the vulnerability was rated with a high severity level, although no specific CVE was assigned at the time of disclosure. The researchers detailed that the attack was based on the ability to modify the app.py file inside the Cloud Run container, allowing arbitrary code execution in the service context. Additionally, with access to the public internet, the attacker could establish communication with an external server to exfiltrate data or receive commands.

Why is it important?

This vulnerability is significant because it affects a widely used conversational AI platform for building customer service chatbots, virtual assistants, and other applications. The possibility that an attacker with minimal permissions could take control of all agents in a project and exfiltrate sensitive data such as access credentials poses a major security risk. Furthermore, the difficulty of detection increases the danger, as security teams might remain unaware of the compromise for extended periods.

Dialogflow CX is used by large organizations in sectors like banking, healthcare, retail, and telecommunications, where chatbots handle sensitive customer information. A successful attack could compromise not only conversation data but also user credentials and internal systems. The fact that the project-shared environment allowed a single compromised agent to affect all others multiplies the potential impact. Varonis noted that the flaw resembled a supply chain attack within the same project, where a malicious agent could spread laterally without needing privilege escalation.

Historically, similar incidents have occurred in low-code or serverless platforms, such as the AWS Lambda case in 2023, where shared functions were found exploitable to access environment variables of other functions. However, in Dialogflow CX, the severity is higher because code runs in a generative AI context, where falsified responses can deceive end users.

Consequences and lessons

Google fixed the vulnerability between April and June 2026, after being notified by Varonis in November 2025. There is no evidence of exploitation in real environments, but researchers recommend that customers review DATA_WRITE audit logs for Playbooks.UpdatePlaybook calls, look for anomalous Sessions.DetectIntent errors, and manually inspect each agent's Code Blocks for unauthorized code. This incident underscores the importance of applying the principle of least privilege in cloud environments, especially when running custom code. It also highlights the need for AI platform providers to implement robust sandboxing and detailed auditing to prevent and detect such attacks.

According to the timeline provided by Varonis, Google took approximately seven months to implement the full fix, reflecting the complexity of modifying the underlying Cloud Run architecture. The solution included file system restrictions, container permission limitations, and improved activity logging. However, Varonis warns that customers should still verify that their projects were not compromised during the exposure window.

This case also highlights the need for companies using conversational AI platforms to conduct regular security audits, especially when custom code execution is allowed. Trust in the cloud provider should not replace own security measures, such as project segmentation and log review.

What should readers know?

If your organization uses Dialogflow CX, it is crucial to verify that Google's security patch has been applied (fixed between April and June 2026). Additionally, review audit logs and your agents' Code Blocks for any signs of compromise. As a general practice, limit edit permissions on chatbots to authorized personnel only and consider project segmentation to reduce the impact of a potential breach.

Varonis provided specific indicators of compromise (IoCs): look in Google Cloud audit logs for google.cloud.dialogflow.cx.v3.Playbooks.UpdatePlaybook operations in the period before June 2026. They also recommend monitoring unusual Sessions.DetectIntent errors that could indicate response manipulation. Finally, manually inspect each agent for unauthorized Python code in Code Blocks, especially those making network connections or accessing the file system.

For security teams, this incident reinforces the need to apply the principle of least privilege even at the AI platform level. It also suggests that companies should consider implementing file integrity monitoring tools in serverless environments, as well as periodic review of Dialogflow CX agent configurations. Collaboration between cloud providers and security firms is essential to identify and mitigate such vulnerabilities before they are exploited.

Keep reading