- Varonis uncovered CVE‑level flaws in Google Cloud Dialogflow CX, where malicious Code Blocks in Playbooks could hijack agents, exfiltrate chat logs, and steal credentials
- Shared Cloud Run environment with excess privileges meant one compromised agent could control all others in a project, with attacks virtually undetectable in Cloud Logging
- Google patched the issue between April–June 2026; researchers advise reviewing audit logs, checking anomalous errors, and manually inspecting Code Blocks for unauthorized code
Researchers recently found a critical vulnerability in Google Cloud’s Dialogflow CX, allowing threat actors to take over different AI agents, access chat logs, and even exfiltrate sensitive data such as login credentials.
Dialogflow CX is Google Cloud’s conversational AI platform used to build many voice and text chatbots. This platform lets developers add Code Blocks, which are custom Python snippets, into conversation “Playbooks”. These blocks all execute inside a single Google-managed Cloud Run service, shared across all agents in a Google Cloud Platform project.
Security researchers Varonis said they discovered a critical vulnerability in which the theoretical attacker didn’t need broad admin access. With permission to edit a single chatbot’s settings, they would be able to plant malicious code relatively easily. The Cloud Run environment had no code restrictions, Varonis further explained, but had a writable filesystem, public internet egress, and ran with excess privileges. Key files could have been overwritten entirely, it was added.
Google issues a fix
As a result, the attacker had access to full conversation history and session state. They could call internal functions and fake LLM-generated replies which, they claim, could lead to phishing and credential theft.
Since the environment is shared per-project, one compromised agent could take over every other agent in that project, and since Cloud Logging doesn’t capture the file overwrite or injected logic, the attack would be “virtually undetectable.”
Varonis reported the issue to Google in November 2025, and the latter came back with an initial fix in April 2026. However, the issue had not been fully resolved until June 2026.
In the report, the researchers said there is no evidence of in-the-wild exploitation attempts and advises customers to review DATA_WRITE audit logs for Playbooks.UpdatePlaybook calls, check for anomalous Sessions.DetectIntent errors, and manually inspect each agent’s Code Blocks for leftover unauthorized code.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/8vLsLeC4LHKgwTpJRXEWKZ-1920-80.jpg
Source link




