A significant security flaw, termed “Rogue Agent,” was identified in Google Cloud Platform’s (GCP) Dialogflow CX, a service widely used for developing AI-powered chatbots. This vulnerability allowed attackers to inject persistent malicious code into an organization’s chatbot pipeline, potentially leading to unauthorized data exfiltration and large-scale phishing attacks.
Dialogflow CX enables developers to create conversational agents by utilizing features like Playbook Code Blocks. These blocks allow the embedding of custom Python code to process user inputs and interact with external APIs within a Google-managed execution environment. However, researchers discovered that all agents employing Code Blocks within the same GCP project shared a common Cloud Run execution environment. A critical file, code_execution_env.py, responsible for executing Code Block logic via Python’s exec() function, was found to be writable and lacked adequate code restrictions.
By overwriting this file, an attacker could access shared session variables, including conversation histories, and hijack the execution scope of every agent within the project. Exploiting this flaw required only the dialogflow.playbooks.update permission, which could be scoped to a single agent. This permission allowed the configuration of Code Blocks to execute arbitrary Python code.
Potential consequences of this exploit included the exfiltration of conversation data to external servers, impersonation of legitimate agent responses using internal functions like respond(), and the injection of phishing prompts disguised as reauthentication requests to steal user credentials. Once the malicious code was embedded, attackers could restore the original configuration in the console, rendering the compromise undetectable in Cloud Logging.
Further compounding the risk were two additional issues:
- VPC-SC Bypass: Cloud Run’s unrestricted outbound internet access allowed attackers to transform the execution environment into a covert data-exfiltration proxy, even when Virtual Private Cloud Service Controls (VPC-SC) were enforced on the agent.
- IMDS Credential Leakage: Exposure of the Instance Metadata Service permitted retrieval of access tokens associated with a Google-managed service account, violating isolation principles despite the account’s low privileges.
The vulnerability was reported to Google in November 2025. An initial fix was deployed in April 2026, with a comprehensive resolution implemented by June 2026. There is no evidence to suggest that this vulnerability was exploited in the wild prior to the patch.
This incident underscores the critical importance of securing AI platforms, especially as their adoption continues to rise among enterprises. Organizations utilizing Dialogflow CX with Playbook Code Blocks before the patch are advised to:
- Enable
DATA_WRITEaudit logs for the Dialogflow API and review past playbook update events for anomalies. - Correlate suspicious updates with rare API access, unusual IP addresses, or atypical access times.
- Query Cloud Logging for failed requests and inspect
protoPayload.status.messagefor exceptions linked to malicious activities.
As AI technologies become increasingly integrated into business operations, ensuring their security is paramount. This incident serves as a stark reminder of the potential risks associated with rapid AI adoption and the necessity for robust security measures to protect sensitive data and maintain user trust.