Security researchers at Varonis have disclosed a significant vulnerability in Google Cloud’s Dialogflow CX platform that could have allowed attackers to silently hijack conversational AI agents, manipulate live user sessions, and exfiltrate sensitive data without leaving any trace in logs. Google deployed a complete fix in June, following an initial partial patch in April.
What Is Dialogflow CX and How Do Code Blocks Work
Dialogflow CX is an enterprise-grade conversational AI platform used to build virtual agents and chatbots for customer support, financial services, healthcare, and other workflows that handle sensitive user data. A key capability within the platform is Playbooks with Code Blocks, which allow developers to embed custom Python logic directly into conversation flows. These Code Blocks execute inside a Cloud Run environment managed by Google, not the customer’s own infrastructure.
The Core Design Flaw
Varonis identified a critical design detail at the heart of the issue: all Dialogflow agents within the same GCP project that use Code Blocks share the same underlying Cloud Run execution environment. That environment runs with a write-enabled file system and under a user capable of modifying system files.
Researchers found that when the permission to configure Code Blocks was enabled on any single agent, it became possible to overwrite a key file responsible for executing Code Blocks via Python’s exec() function. Because no restrictions prevented arbitrary Python code from running, an attacker could inject malicious logic into that file, affecting every Code Block-enabled agent in the same project.
Attack Capabilities
Once the key file was modified, an attacker could achieve several serious outcomes:
- Session hijacking: Because injected code executed within the same
exec()scope, attackers had direct visibility into conversation variables and could intercept or impersonate legitimate conversation flows. - Phishing injection: Attackers could force agents to return attacker-controlled strings, including fake reauthentication prompts designed to harvest user credentials.
- Data exfiltration: Live conversation content and data shared by users could be captured and sent to an external server.
- Persistence: Malicious logic could be written to re-modify the key file for every subsequent user interaction.
- Stealth: The file modification produced no log entries, making the compromise effectively invisible to defenders.
Additional Exposure: IMDS and VPC Controls Bypassed
Varonis also found that the Cloud Run environment’s Instance Metadata Service (IMDS) could be queried to retrieve access tokens for a Google-managed service account. Additionally, the researchers were able to establish a bidirectional communication channel to an external server, bypassing VPC Service Controls that organizations rely on to enforce data perimeter boundaries.
Disclosure and Remediation
Varonis reported the vulnerability to Google Cloud in November 2025. An initial patch was released in April, with a complete fix confirmed in June. Organizations using Dialogflow CX for customer-facing or sensitive data workflows should verify they are running on the fully patched platform and review Code Block permissions assigned to agents within shared GCP projects.
