Researchers uncover a flaw that could let attackers hijack Google Dialogflow CX agents
Google has fixed a Dialogflow CX flaw that could have allowed attackers to hijack AI agents and access private chats.
Security researchers have disclosed a major vulnerability in Google Cloud’s Dialogflow CX platform that could have allowed an attacker to take control of artificial intelligence agents using only one editing permission.
Table Of Content
The flaw was discovered by researchers at Varonis and affected the way custom Python code was handled within Dialogflow CX Playbooks. According to the researchers, an attacker with permission to edit one agent could potentially inject malicious code, access private conversations and interfere with other AI agents in the same Google Cloud project.
Dialogflow CX is a conversational AI platform used by organisations and developers to create text-based chatbots, voice assistants and other automated customer services. Google describes the platform as a tool for building conversational interfaces for websites, mobile applications, devices and interactive voice systems.
Google has since addressed the security issue, and Varonis said it had found no evidence that attackers exploited the vulnerability in real-world environments.
A shared cloud environment increased the potential impact
The vulnerability was linked to Code Blocks, a Dialogflow CX feature that allows developers to add custom Python code to conversational Playbooks. These Playbooks help guide how an AI agent responds to users and performs different actions during a conversation.
Varonis found that Code Blocks belonging to different agents within the same Google Cloud project were hosted in a shared Google-managed Cloud Run environment. This meant the execution environment was not limited to a single chatbot or AI agent.
According to the researchers, an attacker would not have required administrator access or broad control over a Google Cloud account. The attack could have started with a single permission called “dialogflow.playbooks.update”, which allows a user to modify a Playbook.
Once access had been obtained, malicious Python code could have been added to one agent’s Code Block. Varonis said the environment lacked sufficient restrictions on the code that could be executed. It also included a writable file system, access to the public internet, and permissions broader than necessary.
These conditions could have allowed an attacker to modify or completely replace important files used by the conversational AI system. The injected code could then remain active inside the shared environment and affect requests handled by other agents in the project.
The shared design increased the possible scale of an attack. Instead of compromising only the agent the attacker was authorised to edit, the malicious code could affect every Dialogflow CX agent in the same project environment.
Attack could expose conversations and manipulate AI replies
Varonis said a successful attack could have provided access to conversation histories and active session information. This data may contain private customer details, internal business information or other sensitive content shared during chatbot interactions.
The researchers also found that malicious code could potentially call internal functions and alter how agents responded to users. An attacker could use this access to generate fake replies that appeared to come from a legitimate organisation’s AI assistant.
Such control could create opportunities for phishing attacks. A compromised chatbot could direct users to fraudulent websites or ask them to provide usernames, passwords and other account information while appearing to operate normally.
Because malicious activity could occur within an organisation’s trusted AI service, users might be more likely to believe the altered responses. The attack could also allow information collected through conversations to be sent to an external server without the user’s knowledge.
Varonis warned that the activity could have been difficult for administrators to identify. Google Cloud Logging did not record the underlying file changes or the injected program logic, according to the researchers.
The company described the potential attack as “virtually undetectable” because standard cloud logs might not clearly show that files had been overwritten or that unauthorised code was running inside the environment.
The vulnerability demonstrated how permissions that appear limited to a single AI agent can pose broader risks when multiple agents share the same infrastructure. It also highlighted the importance of separating AI workloads and limiting the permissions available to custom code.
Google completed fixes after responsible disclosure
Varonis reported the vulnerability to Google in November 2025 through a responsible disclosure process. Google introduced an initial security fix in April 2026, but further testing revealed the issue was not fully resolved.
Additional changes were made before the vulnerability was considered fully addressed in June 2026. The researchers later published technical details after the remediation work had been completed.
Varonis said it had found no evidence that the weakness had been actively exploited before Google introduced the fixes. However, the company advised Dialogflow CX customers to review their environments for signs of suspicious activity.
Administrators were advised to examine DATA_WRITE audit records for unexpected “Playbooks.UpdatePlaybook” calls. These events may indicate that a Playbook was changed without authorisation or modified by an account that does not normally manage AI agents.
Customers were also encouraged to investigate unusual “Sessions.DetectIntent” errors. Unexpected increases in these errors could indicate that an agent experienced problems linked to unauthorised code or changes to its execution environment.
Varonis recommended manually reviewing the Code Blocks used by every Dialogflow CX agent. This process could help organisations identify malicious or unauthorised code that may have remained in place following earlier changes.
Although Google has fixed the vulnerability, the findings show how custom code features can expand the security risks associated with enterprise AI platforms. Organisations using conversational agents may need to apply strict access controls, regularly review code changes and ensure that permissions remain limited to the users who require them.





