Varonis Threat Labs disclosed a critical vulnerability chain in Google Cloud Dialogflow CX dubbed Rogue Agent that allowed attackers with only the dialogflow.playbooks.update permission on one agent to inject persistent malicious Python code into shared Playbook Code Blocks. The flaw arose because Dialogflow CX executed code in a common Google-managed Cloud Run environment, where a writable code_execution_env.py file and use of Python exec() allowed arbitrary code execution that could affect other agents in the same GCP project.
Successful exploitation could let an attacker exfiltrate conversation history, manipulate chatbot responses, impersonate agents for phishing, bypass VPC Service Controls through unrestricted outbound internet access, and obtain low-privilege Google-managed service account tokens via the Instance Metadata Service. Varonis reported the issue to Google in November 2025; Google released an initial fix in April 2026 and fully remediated the affected components in June 2026. Researchers said they were not aware of exploitation in the wild before the patches and advised customers to review Dialogflow CX Playbook changes and related logs for suspicious activity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Google fully remediated the affected Dialogflow CX components in June 2026. Varonis said it was not aware of exploitation in the wild before Google's patch release.
Google released an initial fix for the reported Dialogflow CX issues in April 2026. The fix addressed the vulnerability chain that enabled arbitrary code execution and abuse of shared Cloud Run execution logic.
Varonis Threat Labs disclosed a critical vulnerability chain in Google Cloud Platform's Dialogflow CX to Google in November 2025. The issues allowed persistent malicious code injection through Playbook Code Blocks and cross-agent impact within the same GCP project.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
securityweek.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcevaronis.com
Open sourcedarkreading.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.