Google has patched a critical flaw in Dialogflow CX that let an attacker with bare-minimum access take over an entire AI agent deployment.
Security firm Varonis discovered that Code Blocks — custom Python snippets embedded in Dialogflow CX conversation "Playbooks" — all run inside a single shared Cloud Run service. That service had a writable filesystem, unrestricted public internet egress, and excess privileges. An attacker with permission to edit just one chatbot could plant malicious code in that shared environment, overwrite key files, access full conversation histories, spoof LLM-generated replies, and exfiltrate credentials. Because all agents in a Google Cloud Platform project share the same Cloud Run instance, one compromised agent could pivot to every other agent in the project. Worse, Cloud Logging does not capture file overwrites or injected logic, making the attack nearly impossible to detect through standard monitoring.
The design flaw here is architectural, not incidental. Shared execution environments are a known risk in multi-tenant systems, and the gap between "edit one chatbot" and "own the whole project" is exactly the kind of privilege boundary that enterprise security teams assume cloud providers have already drawn. Organizations running customer-facing chatbots on Dialogflow CX — collecting session data, handling authentication flows — had meaningful exposure between Varonis's November 2025 disclosure and Google's final patch in June 2026.
Google says there is no evidence of in-the-wild exploitation, which is the one piece of good news. Varonis advises customers to audit DATA_WRITE logs for Playbooks.UpdatePlaybook calls, flag anomalous Sessions.DetectIntent errors, and manually inspect every agent's Code Blocks for code that shouldn't be there — a manual review step that underscores how quietly this attack could have operated.