Experts claim to have successfully created a malicious agent on Google’s AI platform with just one modification permission.


  • Varonis discovered CVE-level vulnerabilities in Google Cloud Dialogflow CX, where malicious code blocks in Playbooks could hijack agents, exfiltrate chat logs, and steal credentials.
  • The shared Cloud Run environment with excessive privileges meant that one compromised agent could control all others in a project, with attacks virtually undetectable in Cloud Logging.
  • Google fixed the problem between April and June 2026; researchers advise reviewing audit logs, checking for abnormal errors, and manually inspecting code blocks for unauthorized code

Researchers recently discovered a critical vulnerability in Google Cloud’s Dialogflow CX, allowing malicious actors to take control of different AI agents, access chat logs, and even exfiltrate sensitive data such as login credentials.

Dialogflow CX is Google Cloud’s conversational AI platform used to create many voice and text chatbots. This platform allows developers to add code blocks, which are custom Python snippets, into conversation “Playbooks.” These blocks all run within a single Google-managed Cloud Run service, shared among all agents in a Google Cloud Platform project.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top