A vulnerability in Google Cloud’s Dialogflow CX service could have allowed attackers to silently control agents, manipulate conversations, and exfiltrate sensitive information, Varonis reports.
Dialogflow CX is an enterprise-grade conversational AI platform that allows organizations to build complex virtual agents and chatbots for customer support, financial services, healthcare assistance, and sensitive data-handling workflows within enterprise environments.
For user conversation workflows, Dialogflow CX relies on Playbooks, which offer Code Blocks, to support embedding custom Python logic into conversation flows, enabling agents to process user input, call APIs, and manipulate data.
Code Blocks are executed within an environment controlled by Google, namely the Cloud Run service. Cloud Run instances can initiate outbound connections to the internet and communicate across data perimeters.
“Here lies the critical design detail — all Dialogflow agents that use Code Blocks in the same GCP project effectively share the same Cloud Run execution environment, which is managed by Google and is outside the victim’s scope,” says Varonis, which named the vulnerability Rogue Agent.








