A flaw in Google’s Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent read live conversations, steal user data and send attacker-written replies across other agents in the same Google Cloud project, according to a technical analysis by Varonis.
KEY FACTS
- Scope The issue affected Dialogflow CX agents built with Playbooks and custom Code Blocks.
- Access needed An attacker needed the dialogflow.playbooks.update permission on one agent.
- Impact The flaw could expose conversation history and let a bot send phishing prompts.
- Status Google fixed the issue and says there is no sign it was used in a real attack.
The report said the Code Block runtime used a shared Google-managed Cloud Run environment, with little isolation between agents in the same project. Varonis found that a writable file named code_execution_env.py could be replaced from inside the container, allowing one Code Block to alter how other agents ran.
That change could let an attacker capture conversation data, send it to an external server and make the bot respond with attacker-controlled text. The report also said the sandbox had unrestricted outbound internet access and could reach the Instance Metadata Service, which returned a token for a Google-managed service account with low privileges.
The disclosure said Cloud Logging did not record the file change or the injected code. It also said a separate audit of Dialogflow playbooks can help customers look for unexpected updates, unusual users or failed requests that could indicate malicious code execution.
Google shipped an initial fix in April 2026 and fully resolved the issue in June 2026, about seven months after Varonis reported it through the company’s Vulnerability Reward Program in November 2025. No CVE was assigned.
WHY IT MATTERS
The case shows that a permission that appears to control content can also become a code execution risk when agents share a hidden runtime. For organizations using AI bots with custom code, the practical question is not only who can edit the agent, but who can reach the runtime behind it.

