A severe security vulnerability in Google's Dialogflow CX, named "Rogue Agent," could have allowed attackers with edit permissions on a Code Block-enabled agent to compromise other agents within the same Google Cloud project. Once inside, bad actors had the ability to read active conversations, harvest sensitive user-shared data, and force the AI bots to send malicious messages, such as deceptive prompts urging users to re-enter their passwords.
Uncovered by security firm Varonis, the vulnerability specifically targeted organizations utilizing Dialogflow's Playbooks combined with custom Python Code Blocks. This was not an unauthenticated, external threat; exploiting it required specific update permissions on a single agent. This high barrier to entry limits potential attackers to malicious insiders or compromised developer accounts, though a breach on just one agent could quickly cascade across the entire project.
While Google has successfully patched the vulnerability, both the tech giant and Varonis confirmed there is no evidence the exploit was ever used in real-world attacks. Under the hood, Dialogflow runs customer Python code in a Google-managed Cloud Run environment. However, Varonis discovered that all Code Block-enabled agents within a single Google Cloud project shared a single instance of this environment, completely lacking proper isolation between different agents.
When a chatbot executes a custom Code Block, the developer's Python code is appended to internal setup code and executed via Python's execution function. This setup wrapper defines critical variables and functions like conversation history, session details, and the function used to generate bot replies. Crucially, the file responsible for managing this wrapper, code_execution_env.py, was left with write permissions inside the shared container.
Because this critical file was writable, a single malicious Code Block could easily overwrite it by downloading a modified version of code_execution_env.py from an attacker's external server. Once hijacked, the attacker’s modified file would execute for every Code Block run by any agent sharing that project environment. This granted the attacker silent, persistent access to live chat histories, active sessions, and the direct ability to spoof chatbot responses.
Source: https://thehackernews.com/2026/07/rogue-agent-flaw-could-have-let.html


