Skip to content

Critical Gap in Google Dialogflow CX Enabled Agent Takeovers

In a nutshell: A gap in Dialogflow CX made it possible to gain access to other chatbots within the same project through a compromised agent setup and exfiltrate user data or inject phishing messages.

A critical security vulnerability in Google Dialogflow CX could have allowed attackers with editing rights on a code-block agent to compromise other code-block agents in the same Google Cloud project. Security firm Varonis identified the vulnerability.

The vulnerability affected code-block-enabled agents in Google’s Dialogflow CX. An attacker with editing rights on one of these agents could exploit the missing access controls to take control of other code-block agents within the same Google Cloud project.

From this privileged position, several attack scenarios would have been possible: attackers could have accessed ongoing user conversations, viewed and exfiltrated personally identifiable data that users entered during chatbot interaction. At the same time, it would have been possible to cause the chatbots to send arbitrary messages – for example to prompt users to re-enter passwords (phishing).

For CISOs, this vulnerability represents a significant risk in the cloud project context: Dialogflow CX implementations with multiple agents required strict separation of permission models to prevent lateral movement. The Varonis notification suggests that Google has since closed the gap. Organizations should review which users in their cloud projects have editing rights on Dialogflow agents and whether code-block features are unintentionally available.


Source: thehackernews.com · Published 7 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: