Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
Key Takeaways A critical vulnerability, dubbed “Rogue Agent,” was discovered in Google Cloud Platform’s Dialogflow CX. The flaw allowed attackers with limited permissions to inject...
Key Takeaways
- A critical vulnerability, dubbed “Rogue Agent,” was discovered in Google Cloud Platform’s Dialogflow CX.
- The flaw allowed attackers with limited permissions to inject persistent malicious code into AI chatbot pipelines.
- This exploit could lead to data exfiltration, agent impersonation, and large-scale phishing campaigns.
- Google has patched the vulnerability, with a full resolution implemented by June 2026.
- Organizations that used Dialogflow CX with Playbook Code Blocks before the patch should conduct a thorough audit.
A severe security vulnerability in Google Cloud Platform’s Dialogflow CX, identified as “Rogue Agent,” enabled attackers to embed persistent malicious code within an organization’s AI-driven chatbot systems. This critical flaw could facilitate silent data exfiltration and widespread phishing operations, requiring only a single edit permission to initiate the compromise.
Table Of Content
The security research firm Varonis uncovered this vulnerability. It specifically exploited Playbook Code Blocks, a Dialogflow CX feature that allows developers to integrate custom Python logic for processing user input and interacting with external APIs within a Google-managed execution environment.
GCP Dialogflow Vulnerability Details
Researchers discovered that all agents utilizing Code Block logic within the same GCP project share a common Cloud Run execution environment. A critical file, code_execution_env.py, responsible for running Code Block logic via Python’s exec() function, was found to be writable and lacked sufficient code restrictions. By overwriting this file, an attacker could gain unauthorized access to shared session variables, including conversation history, and effectively hijack the execution scope of every agent within that project.
Alarmingly, exploiting this vulnerability required only the dialogflow.playbooks.update permission. This permission, which can be scoped to a single agent, was sufficient to configure Code Blocks and subsequently execute arbitrary Python code. Once malicious code was made persistent, attackers could restore the console’s original configuration, making the compromise virtually undetectable through standard Cloud Logging.
The implications of this exploit were significant. Attackers could exfiltrate sensitive conversation data to external servers, impersonate the agent’s legitimate responses using internal functions like respond(), and even inject sophisticated phishing prompts disguised as reauthentication requests to steal user credentials.
Varonis identified two additional compounding issues that significantly amplified the risk posed by “Rogue Agent”:
- VPC-SC Bypass: The Cloud Run environment’s unrestricted outbound internet access allowed attackers to transform the execution environment into a covert data-exfiltration proxy. This was possible even when VPC Service Controls were enforced on the agent, effectively circumventing these critical security measures.
- IMDS Credential Leakage: The exposure of the Instance Metadata Service (IMDS) permitted the retrieval of access tokens associated with a Google-managed service account. This directly violated isolation principles, despite the service account possessing low privileges, demonstrating a breakdown in the expected security boundaries.
Varonis reported the vulnerability to Google in November 2025. Google responded by shipping an initial fix in April 2026 and fully resolved the issue by June 2026. Fortunately, there were no known instances of in-the-wild exploitation before the patch was widely deployed.
The “Rogue Agent” vulnerability is part of a growing trend of security flaws affecting AI platforms. Varonis has responsibly disclosed several such vulnerabilities, including “Reprompt” in Microsoft Copilot Personal and “SearchLeak” in Microsoft Copilot Enterprise, the latter patched as CVE-2026-42824 with a maximum critical severity rating. This pattern underscores the expanding attack surface presented by the widespread adoption of AI agents, with approximately 80% of Fortune 500 companies now actively utilizing these technologies across various cloud platforms.
What You Should Do
Google and Varonis recommend that organizations using Dialogflow CX with Playbook Code Blocks prior to the patch take the following immediate steps:
- Enable DATA_WRITE audit logs for the Dialogflow API and meticulously review past playbook update events for any anomalies or suspicious activity.
- Correlate any identified suspicious updates with rare API access patterns, unusual IP addresses, or atypical access times to pinpoint potential breaches.
- Query Cloud Logging for failed requests and thoroughly inspect
protoPayload.status.messagefor exceptions that could indicate malicious Code Block logic. - Manually review each agent’s Playbooks within the Dialogflow CX console to confirm that only whitelisted Code Blocks are configured and no unauthorized code is present.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.