- Varonis discovered CVE-level flaws in Google Cloud Dialogflow CX, where malicious blocks of code in Playbooks could hijack agents, leak chat logs, and steal credentials.
- Cloud Run’s overprivileged shared environment meant that one compromised agent could control everyone else in a project, with attacks virtually undetectable in Cloud Logging.
- Google fixed the issue between April and June 2026; Researchers recommend reviewing audit logs, checking for anomalous errors, and manually inspecting code blocks for unauthorized code.
Researchers recently found a critical vulnerability in Google Cloud’s Dialogflow CX, which allows threat actors to take control of different AI agents, access chat logs, and even leak sensitive data such as login credentials.
Dialogflow CX is Google Cloud’s conversational AI platform used to create many voice and text chatbots. This platform allows developers to add code blocks, which are custom Python snippets, into conversational “Playbooks.” All of these blocks run within a single Google-managed Cloud Run service, shared among all agents in a Google Cloud Platform project.
Security researchers Varonis said they discovered a critical vulnerability in which the theoretical attacker did not need broad administrator access. With permission to edit the settings of a single chatbot, they could plant malicious code with relative ease. The Cloud Run environment had no code restrictions, Varonis explained in more detail, but it had a writable file system, public egress to the Internet, and ran with excessive privileges. Added that key files could have been completely overwritten.
Google issues a solution
As a result, the attacker had access to the entire conversation history and session state. They could call internal functions and fake responses generated by LLM which they claim could lead to phishing and credential theft.
Since the environment is shared by project, a compromised agent could take over all other agents in that project, and since Cloud Logging does not capture file overwrites or injected logic, the attack would be “virtually undetectable.”
Varonis reported the issue to Google in November 2025, and the latter returned with an initial fix in April 2026. However, the issue was not fully resolved until June 2026.
In the report, the researchers said there is no evidence of exploitation attempts in the wild and advise customers to review the DATA_WRITE audit logs for Playbooks.UpdatePlaybook calls, check for anomalous Sessions.DetectIntent errors, and manually inspect each agent’s code blocks for leftover unauthorized code.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




