Experts say they were able to create a fraudulent agent on Google’s AI platform with a single edit permission.



  • Varonis discovered CVE-level flaws in Google Cloud Dialogflow CX, where malicious blocks of code in Playbooks could hijack agents, leak chat logs, and steal credentials.
  • Cloud Run’s overprivileged shared environment meant that one compromised agent could control everyone else in a project, with attacks virtually undetectable in Cloud Logging.
  • Google fixed the issue between April and June 2026; Researchers recommend reviewing audit logs, checking for anomalous errors, and manually inspecting code blocks for unauthorized code.

Researchers recently found a critical vulnerability in Google Cloud’s Dialogflow CX, which allows threat actors to take control of different AI agents, access chat logs, and even leak sensitive data such as login credentials.

Dialogflow CX is Google Cloud’s conversational AI platform used to create many voice and text chatbots. This platform allows developers to add code blocks, which are custom Python snippets, into conversational “Playbooks.” All of these blocks run within a single Google-managed Cloud Run service, shared among all agents in a Google Cloud Platform project.

Leave a Comment

Your email address will not be published. Required fields are marked *