Google Fixes Rogue Agent Flaw In Dialogflow CX That Could Have Enabled Chatbot Hijacking

Google Fixes Rogue Agent Flaw In Dialogflow CX That Could Have Enabled Chatbot Hijacking

Google has addressed a critical security flaw in Dialogflow CX that could have allowed attackers with specific permissions to compromise multiple chatbots within the same Google Cloud project. The vulnerability, named Rogue Agent by security firm Varonis, affected organizations using Dialogflow’s Playbooks and custom Code Blocks, a feature that enables developers to add Python code to chatbot workflows. According to the researchers, the issue was not a remote unauthenticated vulnerability and could only be exploited by an individual who already possessed the dialogflow.playbooks.update permission on a Code Block enabled agent, limiting the potential threat to malicious insiders or compromised developer accounts.

Varonis found that every Dialogflow CX agent using Code Blocks within the same Google Cloud project shared a Google managed Cloud Run environment. Researchers discovered that a writable file called code_execution_env.py existed within this shared environment and was responsible for handling the execution of custom Python code. Because the file was writable, an attacker with access to a single Code Block enabled agent could overwrite it with a modified version hosted on an external server. Once replaced, the malicious file would execute across every Code Block enabled agent within the same project. This provided attackers with the ability to access live conversations, collect information shared by users, and inject attacker controlled messages into chatbot interactions, including phishing prompts requesting users to re enter passwords or other sensitive information. Researchers also noted that an attacker could restore the original Code Block in the console to conceal evidence of the modification while the malicious file continued operating inside the runtime environment.

The investigation also uncovered two additional security concerns within the Code Block environment. Researchers found that the environment had unrestricted outbound internet access, enabling data to be transmitted directly to external servers using Python’s built in libraries and allowing attackers to receive commands remotely. According to Varonis, this behavior could bypass Google Cloud’s Virtual Private Cloud Service Controls, creating a potential channel for data theft and remote control activities. The second issue involved access to the Instance Metadata Service, an internal endpoint that provides cloud credentials. Querying the service returned a token associated with a Google managed service account. Although the account had limited privileges and did not pose an immediate risk of privilege escalation, researchers stated that access to the metadata service from within a code execution sandbox represented an unnecessary exposure.

Varonis disclosed the Rogue Agent vulnerability to Google through its Vulnerability Reward Program in November 2025. Google introduced an initial fix in April 2026 and fully resolved the issue in June 2026, approximately seven months after receiving the report. Both Google and Varonis said there was no evidence that the vulnerability had been exploited in real world attacks, and no Common Vulnerabilities and Exposures identifier was assigned to the flaw. Security experts have advised organizations that used Dialogflow CX Code Block Playbooks before the remediation to review accounts with dialogflow.playbooks.update permissions, examine audit logs for unexpected playbook modifications, investigate failed user requests that may indicate malicious code execution, and verify that all Code Blocks within their Dialogflow environments are authorized. Researchers also noted that the incident highlights a different category of artificial intelligence security risk, one that stems from developer features and shared runtime environments rather than from manipulating AI models through prompt injection techniques.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment