Vulnerability  ·  2026-07-09

Rogue Agent — Google Dialogflow CX Code Blocks Cross-Agent Code Injection Enabling Chatbot Hijacking

VulnerabilityHigh impactGlobal
Varonis Threat Labs disclosed 'Rogue Agent' (reported to Google November 2025, publicly detailed July 7, 2026): a critical vulnerability in Dialogflow CX where Code Blocks execute in a shared Cloud Run instance across all agents in a project, allowing one compromised or malicious agent's code to affect all others in that project.
Highlights a systemic multi-tenancy isolation failure in a major cloud-hosted conversational-AI platform used widely for customer-facing chatbots; even though patched with no known exploitation, it demonstrates how shared execution environments in GenAI platforms create blast-radius risk across otherwise-isolated customer AI agents.
An attacker with dialogflow.playbooks.update permission on a single Code-Block-enabled agent could inject persistent malicious Python code into the shared Google-managed Cloud Run execution environment (via a writable code_execution_env.py file and Python exec()), affecting every other Dialogflow CX agent using Code Blocks within the same GCP project — enabling silent conversation monitoring, bot impersonation, and large-scale phishing campaigns.
Google Cloud Dialogflow CX (Playbooks with Code Blocks feature) — patched fully by June 2026
Fully remediated by Google (initial fix April 2026, complete remediation June 2026); customers advised to audit Dialogflow CX configurations for suspicious Playbook updates and review past playbook update actions.
Varonis - Rogue Agent: How a Single Code Block Could Hijack Your AI Conversations in Google's DialogFlowThe Hacker News - Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →