- Varonis uncovered CVE-level flaws in Google Cloud Dialogflow CX where malicious blocks of code in Playbooks could hijack agents, wipe chat logs, and steal credentials
- Shared Cloud Run environment with excess privileges meant that one compromised agent could control everyone else in a project, with attacks almost undetectable in Cloud Logging
- Google fixed the issue between April-June 2026; researchers advise reviewing audit logs, checking for abnormal errors, and manually inspecting code blocks for unauthorized code
Researchers recently found a critical vulnerability in Google Cloud’s Dialogflow CX that allows threat actors to take over various AI agents, access chat logs, and even wipe out sensitive data such as login credentials.
Dialogflow CX is Google Cloud’s conversational AI platform used to build many voice and text chatbots. This platform lets developers add code blocks, which are custom Python snippets, to conversational “Playbooks”. These blocks are all executed in a single Google-managed Cloud Run service shared across all agents in a Google Cloud Platform project.
Security researchers Varonis said they discovered a critical vulnerability where the theoretical attacker did not need broad admin access. With permission to edit a single chatbot’s settings, they would be able to plant malicious code relatively easily. The Cloud Run environment had no code restrictions, Varonis further explained, but had a writable file system, public Internet access, and ran with excess privileges. Key files could have been completely overwritten, it added.
Google issues a fix
As a result, the attacker had access to full conversation history and session state. They could call internal functions and fake LLM-generated responses which, they claim, can lead to phishing and credential theft.
Since the environment is shared per project, one compromised agent could take over every other agent in that project, and since Cloud Logging doesn’t catch the file overwrite or injected logic, the attack would be “virtually undetectable.”
Varonis reported the issue to Google in November 2025, and the latter returned with an initial fix in April 2026. However, the issue was not fully resolved until June 2026.
In the report, the researchers said there is no evidence of exploit attempts in the wild, and advise customers to review DATA_WRITE audit logs for Playbooks.UpdatePlaybook calls, check for anomalous Sessions.DetectIntent errors, and manually inspect each agent’s code blocks for remaining unauthorized code.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



