On July 7, 2026, The Hacker News covered Varonis’ Rogue Agent finding in Dialogflow CX: a single account with dialogflow.playbooks.update on one agent could have poisoned the shared runtime used by every Code Blocks-enabled agent in the same Google Cloud project. That turns what looks like a narrow content-edit permission into cross-agent code execution.
The impact was serious because the compromised runtime sat inside Google’s managed environment, outside the customer’s visibility, with access to live conversation history and the bot response path. According to Varonis’ technical write-up, an attacker could have quietly exfiltrated chats, pushed attacker-written prompts back to users, and used the bot itself as a phishing surface. Google said the issue was fixed in June 2026 and that there is no evidence of in-the-wild abuse.

How Rogue Agent worked
Dialogflow CX lets teams attach custom Python to Playbooks through Code Blocks. That code runs inside a Google-managed Cloud Run environment. Varonis found that agents using Code Blocks inside the same project shared that environment, including a writable file named code_execution_env.py, which was responsible for wrapping developer code and passing it to Python’s exec().
Once an attacker could edit one agent’s playbook, they could use a Code Block to overwrite that shared file with a modified version fetched from an external server. From that point forward, every subsequent Code Block execution across the project would run inside attacker-controlled wrapper logic. That wrapper could read conversation history, inspect session state, and call the built-in response helper to make the bot say whatever the attacker wanted.
Varonis also reported two related boundary failures. The runtime had unrestricted outbound internet access, which made direct exfiltration and command retrieval possible over standard libraries such as urllib. It also exposed the instance metadata service, or IMDS, returning a low-privilege Google-managed token. Even though that token was limited, the larger lesson is plain: a sandbox that can rewrite its own execution wrapper, reach the open internet, and query metadata is not meaningfully isolated.
What was affected
The issue was narrower than all of Dialogflow, but broader than one chatbot.
Dialogflow CXagents usingPlaybooksandCode Blocks. Agents without custom Python were outside this path.- Projects where a principal held
dialogflow.playbooks.update. The exploit started from an insider, a compromised developer account, or another identity that already had that permission. - Organizations relying on
VPC Service Controlsfor egress assumptions. Varonis said the runtime sat outside that perimeter and could still reach the public internet. - Teams handling sensitive chat data. Customer support, healthcare, finance, and internal assistant workflows were the obvious high-risk deployments because the bot could read and replay exactly what users typed.
Why this incident stands out
Many AI incidents start with prompt injection or model manipulation. Rogue Agent did not need either. The attack path lived in ordinary product features, ordinary IAM, and a shared execution layer customers could not inspect. That makes it a cleaner example of the real operational problem in agent systems: permissions that sound administrative or editorial often collapse directly into runtime power.
It also shows why provider-managed agent runtimes deserve the same scrutiny teams already apply to CI runners, serverless functions, and browser sandboxes. If multiple agents share code paths, file system state, or egress paths behind the scenes, then one mis-scoped permission can become a project-wide compromise. The bug was fixed. The design lesson remains.
What teams should do
If you used Dialogflow CX Code Blocks before Google’s June 2026 fix, treat this like a runtime compromise question, not a simple configuration review.
- Audit every holder of
dialogflow.playbooks.update. In this case, edit access was execution access. - Review historical playbook changes and log anomalies. Start with Dialogflow API
DATA_WRITEevents, unusual source IPs, odd access times, and failed requests that may expose Code Block exceptions. - Reduce egress assumptions for managed AI runtimes. If a provider-controlled execution path can reach the public internet, treat that path as an exfiltration channel until proven otherwise.
- Put a policy boundary in front of downstream actions. If the agent’s code execution and outbound actions were routed through Prismor, the exploit chain would have broken at the first policy violation: fetching a replacement payload from an untrusted domain, sending conversation data to an external sink, or invoking tools outside the session’s approved scope.
- Ask vendors direct isolation questions. Shared wrappers, writable system files, metadata reachability, and hidden egress paths are architecture questions, not edge cases.
Prismor matters here because Rogue Agent was ultimately an action problem, not only a permission problem. The attacker needed the compromised runtime to do real things next: pull remote code, move data to an attacker-controlled destination, and execute behavior that was outside the bot’s intended job. A runtime guard at the tool-call boundary is where those steps become governable.

Prismor would have helped by intercepting the malicious follow-on steps shown in your diagram: the payload fetch, the attempt to route conversation data outward, and any tool use that fell outside approved policy. That is the practical lesson from this incident: identity controls decide who may edit an agent, but execution controls decide whether a compromised agent can still reach sensitive tools, unapproved destinations, and live data flows. Teams that put both layers in place are much harder to turn into full-project incidents.