Experts say they were able to create a rogue agent in Google’s AI platform with just a single edit permission


  • Varonis uncovered CVE-level flaws in Google Cloud Dialogflow CX where malicious blocks of code in Playbooks could hijack agents, wipe chat logs, and steal credentials
  • Shared Cloud Run environment with excess privileges meant that one compromised agent could control everyone else in a project, with attacks almost undetectable in Cloud Logging
  • Google fixed the issue between April-June 2026; researchers advise reviewing audit logs, checking for abnormal errors, and manually inspecting code blocks for unauthorized code

Researchers recently found a critical vulnerability in Google Cloud’s Dialogflow CX that allows threat actors to take over various AI agents, access chat logs, and even wipe out sensitive data such as login credentials.

Dialogflow CX is Google Cloud’s conversational AI platform used to build many voice and text chatbots. This platform lets developers add code blocks, which are custom Python snippets, to conversational “Playbooks”. These blocks are all executed in a single Google-managed Cloud Run service shared across all agents in a Google Cloud Platform project.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top