Google Dialogflow CX Rogue Agent Showed How One Playbook Editor Could Reach Every Code Block Agent
July 8, 2026
AI Agent Security in 2026: Why the Control Plane Has to Sit at the Tool-Call Boundary
July 7, 2026
Every Agent Has a Door. Most Are Unlocked.
July 3, 2026
Why We Built Prismor to Secure AI Coding Agents at the Tool-Call Boundary
June 26, 2026
143 Mastra npm Packages Backdoored via easy-day-js Dependency Swap
June 17, 2026
TrapDoor: 34 Malicious Packages Stole Crypto Wallet Keys and SSH Credentials Across npm, PyPI, and Crates.io
May 25, 2026
AntV npm Packages Compromised via Hijacked Maintainer Account
May 19, 2026
CVE-2026-42945: NGINX Rewrite Module Heap Overflow Enables Unauthenticated Code Execution
May 13, 2026
TanStack and Mistral npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
May 11, 2026
Microsoft Patches Critical ASP.NET Core DataProtection Flaw That Breaks Cryptographic Signatures
April 23, 2026
Vercel got breached. Here is what that means for everyone downstream.
April 19, 2026
When the System Built to Warn Us Can No Longer Keep Pace
April 15, 2026
Your AI Agent Remembers Your Secrets
April 13, 2026
Your Home Directory is a Secret Goldmine for Attackers
April 6, 2026
When a core npm dependency becomes the attack path: lessons from the Axios compromise
March 31, 2026
When the AI dependency becomes the attack path: lessons from the LiteLLM PyPI compromise
March 24, 2026
When the security scanner becomes the attack path: lessons from the Trivy compromise
March 23, 2026
Critical Path Traversal Vulnerability in jsPDF Library (CVE-2025-68428)
January 6, 2026
MongoBleed: Unauthenticated Memory Disclosure in MongoDB (CVE-2025-14847)
December 27, 2025
Critical Remote Code Execution in n8n Workflow Automation: CVE-2025-68613
December 19, 2025
The Return of Shai-Hulud: npm's Worm Strikes Back
November 24, 2025
Critical Chrome Zero-Day Exploited: Google Rushes Emergency Patch for CVE-2025-0411
October 28, 2025
Critical Remote Code Execution Vulnerability in React Server Components
December 3, 2025
Agent SecurityJuly 8, 20265 min read

Google Dialogflow CX Rogue Agent Showed How One Playbook Editor Could Reach Every Code Block Agent

On July 7, 2026, Rogue Agent showed how one Dialogflow CX playbook edit permission could hijack every Code Block agent in a project.

On July 7, 2026, The Hacker News covered Varonis’ Rogue Agent finding in Dialogflow CX: a single account with dialogflow.playbooks.update on one agent could have poisoned the shared runtime used by every Code Blocks-enabled agent in the same Google Cloud project. That turns what looks like a narrow content-edit permission into cross-agent code execution.

The impact was serious because the compromised runtime sat inside Google’s managed environment, outside the customer’s visibility, with access to live conversation history and the bot response path. According to Varonis’ technical write-up, an attacker could have quietly exfiltrated chats, pushed attacker-written prompts back to users, and used the bot itself as a phishing surface. Google said the issue was fixed in June 2026 and that there is no evidence of in-the-wild abuse.

Google chatbot illustration from the original Rogue Agent coverage
Rogue Agent was a shared-runtime problem: compromise one editable agent, then inherit reach into every other agent using the same Code Block environment.

How Rogue Agent worked

Dialogflow CX lets teams attach custom Python to Playbooks through Code Blocks. That code runs inside a Google-managed Cloud Run environment. Varonis found that agents using Code Blocks inside the same project shared that environment, including a writable file named code_execution_env.py, which was responsible for wrapping developer code and passing it to Python’s exec().

Once an attacker could edit one agent’s playbook, they could use a Code Block to overwrite that shared file with a modified version fetched from an external server. From that point forward, every subsequent Code Block execution across the project would run inside attacker-controlled wrapper logic. That wrapper could read conversation history, inspect session state, and call the built-in response helper to make the bot say whatever the attacker wanted.

Varonis also reported two related boundary failures. The runtime had unrestricted outbound internet access, which made direct exfiltration and command retrieval possible over standard libraries such as urllib. It also exposed the instance metadata service, or IMDS, returning a low-privilege Google-managed token. Even though that token was limited, the larger lesson is plain: a sandbox that can rewrite its own execution wrapper, reach the open internet, and query metadata is not meaningfully isolated.

What was affected

The issue was narrower than all of Dialogflow, but broader than one chatbot.

  • Dialogflow CX agents using Playbooks and Code Blocks. Agents without custom Python were outside this path.
  • Projects where a principal held dialogflow.playbooks.update. The exploit started from an insider, a compromised developer account, or another identity that already had that permission.
  • Organizations relying on VPC Service Controls for egress assumptions. Varonis said the runtime sat outside that perimeter and could still reach the public internet.
  • Teams handling sensitive chat data. Customer support, healthcare, finance, and internal assistant workflows were the obvious high-risk deployments because the bot could read and replay exactly what users typed.

Why this incident stands out

Many AI incidents start with prompt injection or model manipulation. Rogue Agent did not need either. The attack path lived in ordinary product features, ordinary IAM, and a shared execution layer customers could not inspect. That makes it a cleaner example of the real operational problem in agent systems: permissions that sound administrative or editorial often collapse directly into runtime power.

It also shows why provider-managed agent runtimes deserve the same scrutiny teams already apply to CI runners, serverless functions, and browser sandboxes. If multiple agents share code paths, file system state, or egress paths behind the scenes, then one mis-scoped permission can become a project-wide compromise. The bug was fixed. The design lesson remains.

What teams should do

If you used Dialogflow CX Code Blocks before Google’s June 2026 fix, treat this like a runtime compromise question, not a simple configuration review.

  • Audit every holder of dialogflow.playbooks.update. In this case, edit access was execution access.
  • Review historical playbook changes and log anomalies. Start with Dialogflow API DATA_WRITE events, unusual source IPs, odd access times, and failed requests that may expose Code Block exceptions.
  • Reduce egress assumptions for managed AI runtimes. If a provider-controlled execution path can reach the public internet, treat that path as an exfiltration channel until proven otherwise.
  • Put a policy boundary in front of downstream actions. If the agent’s code execution and outbound actions were routed through Prismor, the exploit chain would have broken at the first policy violation: fetching a replacement payload from an untrusted domain, sending conversation data to an external sink, or invoking tools outside the session’s approved scope.
  • Ask vendors direct isolation questions. Shared wrappers, writable system files, metadata reachability, and hidden egress paths are architecture questions, not edge cases.

Prismor matters here because Rogue Agent was ultimately an action problem, not only a permission problem. The attacker needed the compromised runtime to do real things next: pull remote code, move data to an attacker-controlled destination, and execute behavior that was outside the bot’s intended job. A runtime guard at the tool-call boundary is where those steps become governable.

Diagram showing Prismor intercepting Dialogflow agent actions and blocking malicious code from reaching a Google-managed Cloud Run runtime
With an execution boundary in front of agent actions, the malicious payload fetch and exfiltration path become blockable events instead of post-incident evidence.

Prismor would have helped by intercepting the malicious follow-on steps shown in your diagram: the payload fetch, the attempt to route conversation data outward, and any tool use that fell outside approved policy. That is the practical lesson from this incident: identity controls decide who may edit an agent, but execution controls decide whether a compromised agent can still reach sensitive tools, unapproved destinations, and live data flows. Teams that put both layers in place are much harder to turn into full-project incidents.