Varonis uncovered critical vulnerabilities in Google Cloud’s Dialogflow CX that allowed malicious Code Blocks in Playbooks to hijack agents, exfiltrate chat logs, and steal credentials. The shared Cloud Run environment featured excessive privileges, enabling one compromised agent to control all others within a project, with attacks remaining virtually undetectable in Cloud Logging.
Google patched these vulnerabilities between April and June 2026. Researchers recommended reviewing audit logs, checking for anomalous errors, and manually inspecting Code Blocks for unauthorized code.
The vulnerability allowed threat actors access to different AI agents, full conversation history, and sensitive data such as login credentials. Dialogflow CX is an AI platform that enables developers to build voice and text chatbots, allowing for the inclusion of custom Python snippets, known as Code Blocks, within conversation Playbooks, all executing in a shared Cloud Run service.
Varonis stated that the attacker did not need broad admin access; permission to edit a single chatbot’s settings was sufficient to plant malicious code. The Cloud Run environment lacked code restrictions, featured a writable filesystem, and included public internet egress, which could lead to complete overwriting of key files.
Once compromised, an agent could take over all others in the project. The limitation of Cloud Logging meant that file overwrites or injected logic would go undetected. Varonis reported the vulnerabilities to Google in November 2025. An initial fix was released in April 2026, with full resolution achieved by June 2026.
There is no evidence of any in-the-wild exploitation attempts. Researchers advised users to review DATA_WRITE audit logs for Playbooks.UpdatePlaybook calls and to check for anomalous Sessions.DetectIntent errors.





