**Understanding the Rogue Agent Vulnerability in Google Dialogflow CX**
A critical security vulnerability, coined “Rogue Agent,” has been identified in Google’s Dialogflow CX platform. This flaw could potentially allow an attacker with edit rights on a Code Block-enabled agent to compromise other agents within the same Google Cloud project, leading to data theft and unauthorized actions.
**The Vulnerability Explained**
The vulnerability was discovered by security firm Varonis and specifically affects organizations that have built agents using Dialogflow’s Playbooks and custom Code Blocks. These Code Blocks allow developers to incorporate custom Python code into chatbot conversation flows. The critical issue arises from the fact that all agents using Code Blocks within the same Google Cloud project share a single instance of the code execution environment managed by Google.
According to Varonis, if an attacker obtains the `dialogflow.playbooks.update` permission on one such agent—likely through a malicious insider or compromised developer account—they can replace a shared file named `code_execution_env.py`. This file handles the wrapping and execution of developer code. By replacing this file with a malicious version downloaded from an attacker-controlled server, the attacker can execute arbitrary code across all agents in the project. This can enable reading live conversations, stealing user data, and even making bots send phishing messages requesting password re-entry.
**Additional Risks**
Beyond the file overwrite attack, Varonis identified two other related security issues:
1. **Unrestricted Outbound Internet Access:** The Code Block environment has direct internet access, bypassing Google Cloud VPC Service Controls. This allows attackers to exfiltrate data and remotely control the environment using Python’s `urllib` library.
2. **Exposure of Instance Metadata Service (IMDS):** The environment can query the IMDS, potentially exposing Google-managed service account tokens, although these tokens were low-privilege.
**Impact and Mitigation**
Google has addressed this vulnerability, with an initial fix deployed in April 2026 and a full resolution by June 2026. No known exploitation has been reported.
If you have used Dialogflow CX agents with Code Block Playbooks, it is crucial to:
– Audit who holds the `dialogflow.playbooks.update` permission.
– Review DATA_WRITE audit logs for unexpected playbook updates.
– Check Cloud Logging for failed user requests indicating malicious activity.
– Verify that all Code Blocks in the Dialogflow console are authorized.
This vulnerability highlights the importance of treating agent-edit permissions as runtime controls and the need for heightened security around shared execution environments.
For more details on the original report, refer to the article by Varonis.
**Source:**
Understanding the Rogue Agent Vulnerability in Google Dialogflow CX. (n.d.). Varonis. https://www.varonis.com/blog/google-dialogflow-cx-code-block-rogue-agent-vulnerability/



