Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Google Dialogflow CX flaw let researchers create rogue agents

A malicious Code Block could access conversation history, session state and internal functions inside a project.

byKerem Gülen
July 14, 2026
in Research
Home Research
Share on FacebookShare on TwitterShare on LinkedInShare on WhatsAppShare on e-mail
Google Preferred Source

Varonis uncovered critical vulnerabilities in Google Cloud’s Dialogflow CX that allowed malicious Code Blocks in Playbooks to hijack agents, exfiltrate chat logs, and steal credentials. The shared Cloud Run environment featured excessive privileges, enabling one compromised agent to control all others within a project, with attacks remaining virtually undetectable in Cloud Logging.

Google patched these vulnerabilities between April and June 2026. Researchers recommended reviewing audit logs, checking for anomalous errors, and manually inspecting Code Blocks for unauthorized code.

The vulnerability allowed threat actors access to different AI agents, full conversation history, and sensitive data such as login credentials. Dialogflow CX is an AI platform that enables developers to build voice and text chatbots, allowing for the inclusion of custom Python snippets, known as Code Blocks, within conversation Playbooks, all executing in a shared Cloud Run service.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

Varonis stated that the attacker did not need broad admin access; permission to edit a single chatbot’s settings was sufficient to plant malicious code. The Cloud Run environment lacked code restrictions, featured a writable filesystem, and included public internet egress, which could lead to complete overwriting of key files.

Once compromised, an agent could take over all others in the project. The limitation of Cloud Logging meant that file overwrites or injected logic would go undetected. Varonis reported the vulnerabilities to Google in November 2025. An initial fix was released in April 2026, with full resolution achieved by June 2026.

There is no evidence of any in-the-wild exploitation attempts. Researchers advised users to review DATA_WRITE audit logs for Playbooks.UpdatePlaybook calls and to check for anomalous Sessions.DetectIntent errors.


Featured image credit

Tags: FeaturedGoogleMalware

Related Posts

New dark matter theory proposes two particle types

New dark matter theory proposes two particle types

July 14, 2026
Penn State researchers build battery-free solar computing chip

Penn State researchers build battery-free solar computing chip

July 14, 2026
Anthropic research introduces GRAM for isolating dangerous AI knowledge

Anthropic research introduces GRAM for isolating dangerous AI knowledge

July 9, 2026
Global PC shipments fall 5% as AI-driven memory crisis hits supply chains

Global PC shipments fall 5% as AI-driven memory crisis hits supply chains

July 9, 2026
Only 6% of Singapore desk workers use AI daily, says Salesforce

Only 6% of Singapore desk workers use AI daily, says Salesforce

July 8, 2026
Anthropic J-lens reveals hidden workspace inside Claude

Anthropic J-lens reveals hidden workspace inside Claude

July 7, 2026

LATEST NEWS

OpenAI retires Atlas browser to focus on new ChatGPT superapp

Microsoft tests Copilot’s new PC insights feature in Windows 11

Xiaomi unveils SkyNomad N90 range-extender SUV

X algorithm update aims to make replies feel friendlier

Windows 11 Search Box gets less clutter and more control

Pixel 11 leak shows bold magenta and peach colors

BEST AI MODELS LEADERBOARD

See the best AI models, ranked by intelligence, benchmark results, speed and token price. Find the most suitable LLMs, Text-to-Image, Image Editing, Text-to-Speech, Text-to-Video and Image-to-Video  artificial intelligence model for your tasks and business.

LATEST TOOLS

Mootion

Legacy AI

Copyseeker

ProPhotos

Kuki AI

Create

RemodelAI

AItwitch

Vadoo AI

Greptile AI

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI tools
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies to improve your experience. You can choose to accept or reject them. Visit our Privacy Policy.