- Varonis discovered CVE-level vulnerabilities in Google Cloud Dialogflow CX, where malicious code blocks in Playbooks could hijack agents, exfiltrate chat logs, and steal credentials.
- The shared Cloud Run environment with excessive privileges meant that one compromised agent could control all others in a project, with attacks virtually undetectable in Cloud Logging.
- Google fixed the problem between April and June 2026; researchers advise reviewing audit logs, checking for abnormal errors, and manually inspecting code blocks for unauthorized code
Researchers recently discovered a critical vulnerability in Google Cloud’s Dialogflow CX, allowing malicious actors to take control of different AI agents, access chat logs, and even exfiltrate sensitive data such as login credentials.
Dialogflow CX is Google Cloud’s conversational AI platform used to create many voice and text chatbots. This platform allows developers to add code blocks, which are custom Python snippets, into conversation “Playbooks.” These blocks all run within a single Google-managed Cloud Run service, shared among all agents in a Google Cloud Platform project.
Security researchers Varonis said they discovered a critical vulnerability in which the theoretical attacker did not require broad administrator access. If they were allowed to change the settings of a single chatbot, they would be able to plant malicious code relatively easily. The Cloud Run environment had no code restrictions, Varonis explained, but had a writable file system, public Internet egress, and operated with excessive privileges. The key files could have been completely overwritten, it was added.
Google releases a fix
As a result, the attacker had access to the entire conversation history and session state. They could call internal functions and fake the responses generated by LLM, which they believe could lead to phishing and credential theft.
Since the environment is shared per project, a compromised agent could take over all other agents in that project, and because Cloud Logging does not capture file overwrite or injection logic, the attack would be “virtually undetectable.”
Varonis reported the problem to Google in November 2025, and the latter came back with a first fix in April 2026. However, the problem was not fully resolved until June 2026.
In the report, researchers said there was no evidence of exploitation attempts in the wild and advised customers to review DATA_WRITE audit logs for Playbooks.UpdatePlaybook calls, look for anomalous Sessions.DetectIntent errors, and manually inspect each agent’s code blocks for remnants of unauthorized code.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




