Flaw in Google Dialogflow CX let attackers hijack agents

Varonis found a Dialogflow CX Code Blocks flaw that let attackers overwrite Python execution, hijack agents, alter conversations and exfiltrate data across a Google Cloud project.

Varonis reported a vulnerability in Google Cloud’s Dialogflow CX Code Blocks that allowed attackers to overwrite the Python code used inside conversation flows. The issue could let a misconfigured actor take control of virtual agents, change responses and pull conversation data across all agents in the same Google Cloud project.

Dialogflow CX is an enterprise platform for building chatbots and virtual agents. Its Playbooks feature supports Code Blocks, which let teams run custom Python logic inside a conversation. Those Code Blocks execute in Google-managed Cloud Run instances that can make outbound network connections and cross data boundaries.

Varonis highlighted a shared execution model as the central problem. “Here lies the critical design detail — all Dialogflow agents that use Code Blocks in the same GCP project effectively share the same Cloud Run execution environment, which is managed by Google and is outside the victim’s scope,” the firm wrote.

The researchers found that if a Cloud Run instance was publicly accessible, had a writable file system and ran under an account able to modify system files, then someone with permission to configure Code Blocks could replace a key file that executes Code Blocks via Python’s exec(). Because arbitrary Python could run, the replacement file could access live conversation variables, call internal functions and change agent responses. “Because the injected Code Block is executed in the same scope inside exec(), attackers could reference these variables directly,” Varonis wrote.

Varonis said an attacker could exfiltrate conversation data, insert phishing prompts that resemble legitimate reauthentication requests, and deploy logic that rewrote the key file for every user without obvious logs. The researchers also showed how a bidirectional channel to an external server could be established, bypassing VPC Service Controls, and how the Cloud Run Instance Metadata Service could be targeted to obtain access tokens for a Google-managed service account.

Varonis reported the vulnerability to Google Cloud in November 2025. Google released an initial patch in April and deployed a complete fix in June. Varonis recommended that organizations using Code Blocks review permissions, audit Cloud Run instances for public access and writable system files, and confirm that Google’s patches have been applied.

Articles by this author

No posts found.