Google Dialogflow CX Flaw Could Have Let Attackers Take Over Chatbots in Shared Projects
Google has patched a serious security issue in Dialogflow CX that could have allowed an attacker with limited edit privileges to take over other chatbots in the same Google Cloud project, according to...
Google has patched a serious security issue in Dialogflow CX that could have allowed an attacker with limited edit privileges to take over other chatbots in the same Google Cloud project, according to research from Varonis. The flaw affected agents built with Playbooks and custom Code Blocks, a feature that lets developers run their own Python during chatbot conversations.
Although the problem was not remotely exploitable without access, it created a dangerous path for anyone who could modify one Code Block-enabled agent. With the dialogflow.playbooks.update permission on a single agent, an attacker could potentially interfere with other agents sharing the same runtime, monitor live conversations, extract user-submitted data, and send messages designed to trick people into revealing sensitive information such as passwords.
Shared runtime created an unexpected risk
Varonis said the issue stemmed from the way Dialogflow CX handled Code Blocks inside a Google-managed Cloud Run environment. Agents in the same project shared that environment, and the researchers found that the wrapping file used to execute code was writable. In practice, that meant a malicious Code Block could replace the file with a modified version that would then run across multiple agents.
Once that happened, the altered runtime would have the same access as legitimate chatbot code, including conversation history and session data. A compromised version could quietly forward user conversations to an external server and instruct the bot to send attacker-controlled replies. The researchers also identified two related weaknesses: outbound internet access from the sandbox and exposure to the Instance Metadata Service, which could be used to retrieve cloud identity data.
Minimal logging, but no sign of abuse
Google and Varonis both said there is no evidence the flaw was used in real-world attacks. The issue was reported through Google’s Vulnerability Reward Program in late 2025, partially fixed in April 2026, and fully resolved in June 2026. No CVE was assigned.
Because the compromise happened inside Google’s managed environment, customer visibility was limited. Varonis recommends that organizations using Dialogflow CX review access and audit logs, especially for unexpected playbook edits or unusual behavior in agents that relied on Code Blocks.
- Audit who has dialogflow.playbooks.update rights
- Review Dialogflow DATA_WRITE logs for unexpected playbook changes
- Check for unusual errors or failed requests in Cloud Logging
- Verify that every Code Block in the console is approved
The case highlights a broader lesson for AI platforms: a feature that appears to be a simple content-editing permission may actually amount to code execution when shared runtimes are involved.
