Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots
What happened
A critical flaw in Google Dialogflow CX, named Rogue Agent, could have allowed an attacker with edit rights on one Code Block-enabled agent to compromise other Code Block-enabled agents in the same Google Cloud project. Google has fixed the issue, and researchers said there is no evidence that the flaw was exploited in real attacks.
The flaw affected organizations using Dialogflow Playbooks with custom Code Blocks, which allow developers to add Python code to chatbot conversation flows. It was not a remote, unauthenticated attack. Exploitation required the dialogflow.playbooks.update permission on one affected agent, making the realistic attacker a malicious insider or someone who had already compromised a developer account.
The weakness came from how Dialogflow ran Code Blocks in a shared Google-managed Cloud Run environment. Every agent using Code Blocks in the same Google Cloud project shared the same environment, and a writable file inside that environment controlled how Code Block code was wrapped and executed. A malicious Code Block could overwrite that file, causing the attacker’s code to run whenever any Code Block-enabled agent in the project executed.
Once in place, the attacker’s code could access live chatbot conversation history, session state, and response functions. That means an attacker could silently exfiltrate user conversations, steal data shared with the bot, or make the chatbot send attacker-written messages, including phishing prompts asking users to re-enter passwords. Related issues also allowed unrestricted outbound internet access from the Code Block environment and exposed a low-privilege Google-managed service account token through the instance metadata service.
Who is affected
Organizations using Google Dialogflow CX agents with Playbooks and custom Code Blocks were directly affected before Google’s fix.
The risk was highest for teams where many agents shared the same Google Cloud project and where multiple users or service accounts held dialogflow.playbooks.update permissions.
Customers interacting with affected chatbots could also have been exposed if an attacker used the flaw to read live conversations, steal submitted data, or inject phishing-style responses into trusted chatbot sessions.
Why CISOs should care
Rogue Agent shows that AI application risk is not limited to prompt injection or model manipulation. In this case, the model itself was not the target. The issue came from a shared runtime and a developer feature that allowed code execution.
For CISOs, the permission model is the key lesson. A permission that looks like chatbot content editing can effectively become runtime code execution if Code Blocks are enabled. That changes how agent-edit roles should be governed.
The shared environment also matters. If multiple AI agents run inside the same underlying execution environment, compromise of one agent can create cross-agent risk across the project.
The logging gap is also important. The file overwrite occurred inside Google’s managed environment, where customers had limited visibility, and standard logging did not capture the injected runtime change.
3 practical actions
Audit Dialogflow Code Block permissions: Review who has dialogflow.playbooks.update access and remove unnecessary permissions from users and service accounts. Treat this permission as code-execution authority, not ordinary chatbot editing.
Review historical agent changes and logs: Teams that used Code Blocks before the fix should review Dialogflow API DATA_WRITE logs for unexpected playbook updates, unusual users, strange IP addresses, or abnormal update times.
Validate all approved Code Blocks: Open Playbooks for each agent and confirm that every Code Block is expected, approved, and tied to a legitimate business function. Investigate failed user requests or unusual chatbot behavior that may indicate malicious code execution.
More in cybersecurity:


