A 'Rogue Agent' flaw in Google Dialogflow CX let one permission hijack every chatbot in a project

Researchers at Varonis disclosed a vulnerability in Google Cloud's Dialogflow CX, the platform companies use to build customer-service chatbots and voice agents. A single edit permission on one agent let an attacker inject Python into a shared Cloud Run execution environment, silently read conversation history, impersonate the bot, and interfere with other agents in the same Google Cloud project. Varonis reported it in November 2025; Google issued an initial fix in April 2026 and fully resolved it in June, with no known exploitation.

Google (Dialogflow CX) · Incident Jul 7, 2026 · Indexed Jul 10, 2026 · 2 sources

Records by entity: Google

A single overlooked permission on one agent could turn every customer-service bot in the project into a silent eavesdropper.
What
Researchers at Varonis disclosed a vulnerability in Google Cloud's Dialogflow CX, the platform companies use to build customer-service chatbots and voice agents.
Incident date
Jul 7, 2026
Who
Google (Dialogflow CX)
Failure mode
Data Leakage
AI surface
Chatbot
Severity
High

What happened

Dialogflow CX lets developers embed custom Python in conversation flows through Code Blocks, which run inside a Google-managed Cloud Run environment. Varonis found that all agents using Code Blocks in the same Google Cloud project effectively shared that environment, and that with one Code Block edit permission an attacker could overwrite the key file executing that Python via `exec()`. From there they could read live conversations, force the bot to return attacker-chosen text, inject fake reauthentication prompts to harvest credentials, and persist invisibly across every agent in the project without appearing in logs. Varonis named it Rogue Agent, reported it to Google in November 2025, and Google fully resolved it in June 2026.

What broke inside the model

Failure path · mode profile · Data Leakage
  1. 01 · TriggerA request triggers retrieval or context loading.
  2. 02 · Model stepThe context pulls in another user's content.
  3. 03 · Control gapNo boundary enforces isolation at the moment of output.
  4. 04 · FailurePrivate data crosses into the response.
  5. 05 · ConsequenceOne user sees another's data, and disclosure follows.

One user's content crosses the retrieval boundary into another's response.

This was an architecture and trust-boundary failure around the agent runtime, not a model output error. Multiple tenants' agents shared one execution scope, and the permission model assumed a single Code Block edit was low risk. Because injected code ran in the same scope as live session variables, the attacker gained full visibility into ongoing conversations and the ability to rewrite the bot's responses, collapsing the boundary between one agent and every other agent in the project.

Public visibilityMedium
Regulatory exposureNone
Customer impactMany customers
Financial impactUnknown
Time to disclosureMonths
  1. PressExclusive: Google patched AI chatbot flaw that could have exposed customer conversationsaxios.com
  2. PressGoogle Dialogflow CX Bug Allowed Attackers to Hijack AI Conversationssecurityweek.com
Permalinkhttps://failureindex.ai/failures/google-dialogflow-cx-rogue-agent-flaw
CitationAI Failure Index. "A 'Rogue Agent' flaw in Google Dialogflow CX let one permission hijack every chatbot in a project" (FI-0704). Realm Labs. https://failureindex.ai/failures/google-dialogflow-cx-rogue-agent-flaw (indexed Jul 10, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0704. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard
  • AI Detection & Response (AIDR)

Realm enforces trust boundaries at the runtime layer so a compromised or over-permissioned agent cannot read or rewrite another agent's session data. OmniGuard redacts sensitive content inline and blocks unauthorized instructions injected into the execution path, and the detection-and-response trail exposes cross-agent access that would otherwise stay out of the logs.