What happened
Varonis Threat Labs disclosed 'Rogue Agent' (reported to Google November 2025, publicly detailed July 7, 2026): a critical vulnerability in Dialogflow CX where Code Blocks execute in a shared Cloud Run instance across all agents in a project, allowing one compromised or malicious agent's code to affect all others in that project.
Why it matters
Highlights a systemic multi-tenancy isolation failure in a major cloud-hosted conversational-AI platform used widely for customer-facing chatbots; even though patched with no known exploitation, it demonstrates how shared execution environments in GenAI platforms create blast-radius risk across otherwise-isolated customer AI agents.
Attack vector
An attacker with dialogflow.playbooks.update permission on a single Code-Block-enabled agent could inject persistent malicious Python code into the shared Google-managed Cloud Run execution environment (via a writable code_execution_env.py file and Python exec()), affecting every other Dialogflow CX agent using Code Blocks within the same GCP project — enabling silent conversation monitoring, bot impersonation, and large-scale phishing campaigns.
Affected systems
Google Cloud Dialogflow CX (Playbooks with Code Blocks feature) — patched fully by June 2026
Mitigation
Fully remediated by Google (initial fix April 2026, complete remediation June 2026); customers advised to audit Dialogflow CX configurations for suspicious Playbook updates and review past playbook update actions.