Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots
A critical vulnerability named "Rogue Agent" in Google Dialogflow CX allowed attackers with edit rights on one agent to compromise all Code Block-enabled agents within the same Google Cloud project. The flaw stemmed from a shared, non-isolated Cloud Run environment where a writable `code_execution_env.py` file could be overwritten by a malicious Code Block to execute arbitrary Python across all agents. Additional risks included unrestricted outbound internet access bypassing VPC Service Controls
Analysis
TL;DR
- A critical vulnerability named "Rogue Agent" in Google Dialogflow CX allowed attackers with edit rights on one agent to compromise all Code Block-enabled agents within the same Google Cloud project.
- The flaw stemmed from a shared, non-isolated Cloud Run environment where a writable
code_execution_env.pyfile could be overwritten by a malicious Code Block to execute arbitrary Python across all agents. - Additional risks included unrestricted outbound internet access bypassing VPC Service Controls and exposure of the Instance Metadata Service (IMDS), facilitating data exfiltration and credential theft.
- The issue was disclosed via Google's Vulnerability Reward Program and patched between April and June 2026, with no evidence of active exploitation in the wild.
Why It Matters
This incident highlights a severe architectural risk in managed AI services where shared execution environments lack proper isolation, turning a simple content-edit permission into a full code-execution privilege. For AI practitioners and security teams, it underscores the necessity of auditing IAM permissions for AI platforms and understanding the underlying runtime security posture of third-party services, rather than relying solely on application-level controls.
Technical Details
- Shared Runtime Isolation Failure: All Code Block-enabled agents in a project shared a single Cloud Run instance. The environment lacked isolation, allowing one agent's code to affect others.
- File Overwrite Attack Vector: The file
code_execution_env.py, which wraps developer code with internal setup logic, was writable. An attacker could replace this file with a malicious version downloaded from an external server, affecting all subsequent executions. - Unrestricted Network Access: The Code Block environment had unrestricted outbound internet access, allowing data exfiltration via libraries like
urlliband bypassing Google Cloud VPC Service Controls. - IMDS Exposure: The environment exposed the Instance Metadata Service, leaking tokens for low-privilege Google-managed service accounts, violating standard security best practices for sandboxed environments.
- Lack of Visibility: Cloud Logging did not record file changes or injected code execution, making detection difficult without correlating audit logs and checking for unexpected playbook updates.
Industry Insight
- Re-evaluate Permission Models: Organizations must distinguish between content-edit permissions and code-execution capabilities in AI platforms. Auditing IAM roles for
dialogflow.playbooks.updateis critical to prevent insider threats or compromised developer accounts from escalating privileges. - Demand Transparent Sandboxing: When using managed AI services with custom code execution, verify that the provider implements strict network egress controls, proper VM/container isolation, and comprehensive logging for runtime activities.
- Proactive Monitoring: Implement regular audits of AI platform configurations and monitor for anomalous outbound traffic or unexpected changes in playbook definitions, as traditional security logs may not capture low-level runtime manipulations.
Disclaimer: The above content is generated by AI and is for reference only.