What happened
Google has fixed a security vulnerability in Google Cloud’s Dialogflow CX platform that could have allowed attackers to steal sensitive information from AI-powered chatbots and enterprise agents.
The flaw, dubbed “Rogue Agent” by Varonis Threat Labs, involved a permission boundary issue in Dialogflow CX’s Code Blocks feature. According to Varonis researchers, an attacker with the dialogflow.playbooks.update permission could have injected persistent malicious code into an AI agent’s execution pipeline.
The malicious code could have silently collected chatbot conversations, session data, and other sensitive information while remaining difficult to detect. Researchers also demonstrated that attackers could manipulate chatbot responses to display fake reauthentication prompts designed to steal user credentials through phishing.
Varonis privately disclosed the issue to Google in November 2025. Google released an initial fix in April before fully mitigating the vulnerability last month. The company stated that all affected components have been patched and that there is no evidence of customer compromise.
Who is affected
The vulnerability affected organizations using Google Cloud Dialogflow CX to build AI-powered customer service agents, virtual assistants, and conversational applications.
Dialogflow CX is widely used across industries such as financial services, healthcare, retail, and customer support, where AI agents routinely process confidential customer conversations and sensitive business data.
Although exploitation required an attacker to obtain valid credentials and a specific permission, the required dialogflow.playbooks.update permission could be assigned beyond high-level administrators, increasing the potential attack surface.
Why CISOs should care
The Rogue Agent vulnerability highlights the growing security risks surrounding enterprise AI infrastructure. As organizations deploy more AI agents, the underlying cloud services and execution environments become part of the attack surface.
Tamir Yehuda, Cloud Security Research Team Leader at Varonis, warned that AI services are tightly connected to cloud infrastructure, meaning vulnerabilities or misconfigurations in supporting services can undermine otherwise secure AI deployments.
Even though Google has remediated this issue, the incident demonstrates that securing AI applications requires more than protecting prompts and models. Organizations must also monitor permissions, cloud architecture, and custom code running behind AI services.
3 practical actions
- Review audit logs for recent Playbook updates and investigate unexpected modifications to Dialogflow CX agents.
- Audit permissions such as dialogflow.playbooks.update and apply the principle of least privilege to AI administration roles.
- Regularly inspect custom Code Blocks and monitor AI infrastructure for unauthorized changes, unusual outbound connections, or suspicious chatbot behavior.

