A 'Rogue Agent' flaw in Google Dialogflow CX let one permission hijack every chatbot in a project
Researchers at Varonis disclosed a vulnerability in Google Cloud's Dialogflow CX, the platform companies use to build customer-service chatbots and voice agents. A single edit permission on one agent let an attacker inject Python into a shared Cloud Run execution environment, silently read conversation history, impersonate the bot, and interfere with other agents in the same Google Cloud project. Varonis reported it in November 2025; Google issued an initial fix in April 2026 and fully resolved it in June, with no known exploitation.
Records by entity: Google
A single overlooked permission on one agent could turn every customer-service bot in the project into a silent eavesdropper.
Key facts
- What
- Researchers at Varonis disclosed a vulnerability in Google Cloud's Dialogflow CX, the platform companies use to build customer-service chatbots and voice agents.
- Incident date
- Jul 7, 2026
- Who
- Google (Dialogflow CX)
- Failure mode
- Data Leakage
- AI surface
- Chatbot
- Severity
- High
What happened
Dialogflow CX lets developers embed custom Python in conversation flows through Code Blocks, which run inside a Google-managed Cloud Run environment. Varonis found that all agents using Code Blocks in the same Google Cloud project effectively shared that environment, and that with one Code Block edit permission an attacker could overwrite the key file executing that Python via `exec()`. From there they could read live conversations, force the bot to return attacker-chosen text, inject fake reauthentication prompts to harvest credentials, and persist invisibly across every agent in the project without appearing in logs. Varonis named it Rogue Agent, reported it to Google in November 2025, and Google fully resolved it in June 2026.
What broke inside the model
- 01 · TriggerA request triggers retrieval or context loading.
- 02 · Model stepThe context pulls in another user's content.
- 03 · Control gapNo boundary enforces isolation at the moment of output.
- 04 · FailurePrivate data crosses into the response.
- 05 · ConsequenceOne user sees another's data, and disclosure follows.
One user's content crosses the retrieval boundary into another's response.
This was an architecture and trust-boundary failure around the agent runtime, not a model output error. Multiple tenants' agents shared one execution scope, and the permission model assumed a single Code Block edit was low risk. Because injected code ran in the same scope as live session variables, the attacker gained full visibility into ongoing conversations and the ability to rewrite the bot's responses, collapsing the boundary between one agent and every other agent in the project.
What it cost
Sources
Cite this entry
https://failureindex.ai/failures/google-dialogflow-cx-rogue-agent-flawAI Failure Index. "A 'Rogue Agent' flaw in Google Dialogflow CX let one permission hijack every chatbot in a project" (FI-0704). Realm Labs. https://failureindex.ai/failures/google-dialogflow-cx-rogue-agent-flaw (indexed Jul 10, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0704. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
- AI Detection & Response (AIDR)
Realm enforces trust boundaries at the runtime layer so a compromised or over-permissioned agent cannot read or rewrite another agent's session data. OmniGuard redacts sensitive content inline and blocks unauthorized instructions injected into the execution path, and the detection-and-response trail exposes cross-agent access that would otherwise stay out of the logs.