Full Report
A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password. Security firm Varonis found it
Analysis Summary
# Vulnerability: Rogue Agent (Google Dialogflow CX Code Block Escape)
## CVE Details
- **CVE ID:** None Assigned (Confirmed by article)
- **CVSS Score:** N/A (Estimated Critical/High severity based on impact)
- **CWE:** CWE-73 (External Control of File Name or Path), CWE-94 (Improper Control of Generation of Code)
## Affected Systems
- **Products:** Google Dialogflow CX
- **Versions:** Versions prior to June 2026 update
- **Configurations:** Organizations using Dialogflow **Playbooks** with custom **Code Blocks** enabled.
## Vulnerability Description
The "Rogue Agent" flaw stems from a lack of isolation within the Google-managed Cloud Run environment used to execute Python-based Code Blocks. In this architecture, all agents within a single Google Cloud project share the same execution container.
Researchers discovered that the wrapper file responsible for executing custom scripts, `code_execution_env.py`, was writable by the Code Block itself. Providing an attacker has the `dialogflow.playbooks.update` permission, they could deploy a malicious block that overwrites this wrapper. Because the container is shared, the modification impacts every other Code Block-enabled agent in the project, allowing the attacker to intercept execution logic across the entire environment.
## Exploitation
- **Status:** PoC available (developed by Varonis); No evidence of exploitation in the wild.
- **Complexity:** Medium (Requires specific IAM permissions and knowledge of the internal environment structure).
- **Attack Vector:** Network (Authenticated/Malicious Insider).
## Impact
- **Confidentiality:** **High** – Ability to read live conversations, session IDs, and user-provided data (PII) across all agents in the project.
- **Integrity:** **High** – Attackers can inject responses into active chats, perform phishing (e.g., asking for passwords), and bypass VPC Service Controls to exfiltrate data.
- **Availability:** **Low** – While the service remains up, the trustworthiness of the bot's logic is fully compromised.
## Remediation
### Patches
- **Google Cloud Update:** Google implemented a full resolution in June 2026. As Dialogflow CX is a managed service (SaaS), the fix was applied server-side by Google. Users do not need to manually patch software but should verify their environments.
### Workarounds
- **IAM Hardening:** Restrict the `dialogflow.playbooks.update` permission to the absolute minimum number of trusted users.
- **Project Isolation:** Use separate Google Cloud projects for high-sensitivity agents to prevent cross-contamination in the shared execution environment.
## Detection
- **Indicators of Compromise:**
- Unexpected outbound network calls from Code Blocks to unknown IP addresses (indicative of the `urllib` bypass).
- Discrepancies between the code visible in the Dialogflow console and the actual behavior of the bot.
- **Detection Methods:**
- Monitor IAM logs for unusual modifications to Playbooks or Code Blocks.
- Audit conversational logs for anomalous bot behavior, such as requests for sensitive information (passwords, tokens) that are not part of the standard design.
## References
- **Vendor Advisory:** Google Vulnerability Reward Program (Nov 2025 - June 2026)
- **Varonis Research:** hxxps://www[.]varonis[.]com/blog/rogue-agent-dialogflow-attack
- **News Source:** hxxps://thehackernews[.]com/2026/07/rogue-agent-flaw-could-have-let.html