A critical flaw in Google’s Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project.

From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password.

Security firm Varonis found it and named it Rogue Agent. The flaw affected only organizations that built agents with Dialogflow’s Playbooks and custom Code Blocks, which let developers add their own Python. And it was not a remote, unauthenticated attack.

Pulling it off needed the dialogflow.playbooks.update permission on one such agent, which limits the realistic attacker to a malicious insider or a compromised developer account, not a stranger on the internet. From that one foothold, though, the reach extended to every agent in the project.

Google has fixed it, and both Varonis and Google say there is no sign the flaw was ever used in a real attack.

One writable file ran every agent’s Code Blocks

Dialogflow’s Code Blocks let developers add custom Python to a chatbot’s conversation flow to check input, control behavior, and invoke defined tools. That code runs in a Google-managed Cloud Run environment, and every agent that uses Code Blocks in the same Google Cloud project shares one instance of it.

Google runs that environment, the customer cannot see or control it, and Varonis found no real isolation between the agents inside it.

When an agent runs a Code Block, the developer’s code is appended to internal setup code and passed to Python’s exec() function. That setup code defines the variables and functions the block can touch. Variables include history for the full conversation and state for session details like the session ID. Functions include respond(), which makes the bot reply with a given string.

Varonis found the file that does this wrapping, code_execution_env.py, sitting in the shared environment with write access.

Because that file was writable, a single Code Block could replace it. That block downloads a modified code_execution_env.py from an attacker-controlled server and overwrites the original inside the running container.

From then on, the attacker’s version runs for every Code Block execution across every agent sharing that environment. It sits in the same scope as legitimate code, with the same access to history, state, and respond().

That lets it read each conversation, quietly send it to the attacker’s server, and make the bot post attacker-written messages. One example is phishing: the bot asks the user to re-verify a login, and the attacker collects whatever they type.

To cover the tracks, the attacker restores the original Code Block in the Dialogflow console. That changes only what the console displays; the overwritten file is already running in the container and keeps executing underneath.

The sandbox leaked two more ways

Varonis reported…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 7, 2026