Varonis Threat Labs has disclosed a critical vulnerability in Google Cloud Platform’s Dialogflow CX, the service many organizations rely on to build AI-powered chatbots and virtual agents. Dubbed “Rogue Agent,” the flaw allowed attackers to inject persistent malicious code into an organization’s chatbot pipeline using nothing more than a single edit permission, with the potential to silently exfiltrate conversation data and power large-scale phishing campaigns.
How the Rogue Agent Exploit Works
The vulnerability centers on Playbook Code Blocks, a Dialogflow CX feature that lets developers embed custom Python logic to process user input and call external APIs from within a Google-managed execution environment. Varonis researchers found that all agents using Code Blocks within the same GCP project share a single underlying Cloud Run execution environment.
Critically, a key file — code_execution_env.py — which runs Code Block logic via Python’s exec() function, was writable and lacked adequate code restrictions. That meant an attacker who only had the dialogflow.playbooks.update permission, which can be scoped to a single agent, could use it to configure Code Blocks and execute arbitrary Python code within the shared environment.
What an Attacker Could Do
Once code execution was achieved, the implications extended well beyond the single compromised agent. Attackers were able to:
- Exfiltrate live conversation data to external, attacker-controlled servers.
- Impersonate the agent’s legitimate responses using internal functions such as
respond(). - Inject phishing prompts disguised as reauthentication requests to harvest user credentials directly inside a trusted chatbot conversation.
- Restore the original-looking configuration afterward, making the compromise effectively invisible in Cloud Logging.
That last point is especially concerning for incident response teams: the ability to revert to a clean-looking configuration after the malicious code has run means standard log review may not surface any evidence that a compromise occurred.
Two Compounding Issues Made It Worse
Varonis identified two additional issues that amplified the severity of the core flaw:
- VPC-SC bypass: Cloud Run’s unrestricted outbound internet access allowed attackers to turn the shared execution environment into a covert data-exfiltration proxy, even in projects where VPC Service Controls were explicitly enforced on the agent.
- IMDS credential leakage: Exposure of the Instance Metadata Service (IMDS) allowed retrieval of access tokens tied to a Google-managed service account, a violation of the isolation boundaries the shared execution model was supposed to guarantee.
Together, these issues meant that a single low-privilege foothold in one Dialogflow agent could, in principle, be leveraged to affect every other agent sharing the same Cloud Run environment within a project, and to exfiltrate data past network controls that administrators believed were blocking it.
Why This Matters for Enterprise AI Deployments
Dialogflow CX is widely used for customer-facing support bots, internal helpdesk automation, and increasingly as a backend for more sophisticated conversational AI products. As organizations rush to embed AI agents into customer touchpoints, this disclosure is a reminder that the security perimeter for these systems extends beyond prompt design and content filtering into the underlying execution infrastructure itself.
The multi-tenant nature of the flaw, with multiple agents sharing one execution environment, is also a pattern worth watching more broadly as cloud providers build out shared infrastructure for AI workloads. A single misconfigured or malicious agent should not be able to compromise the isolation boundary for unrelated agents in the same environment.
Recommended Actions
- Audit Dialogflow CX projects for agents using Playbook Code Blocks and review who holds dialogflow.playbooks.update permissions.
- Treat conversational AI logs as a potential blind spot; supplement Cloud Logging with independent monitoring where possible.
- Verify that VPC Service Controls are enforced at the network layer, not solely relied upon for AI agent isolation.
- Restrict and monitor access to Instance Metadata Service endpoints from within managed execution environments.
- Apply any patches or configuration guidance issued by Google in response to the Varonis disclosure.
Google has been notified of the findings by Varonis Threat Labs. Organizations running Dialogflow CX agents with Code Blocks enabled should treat this as a priority review item, particularly if those agents handle customer conversations or have any path to sensitive backend systems.