The 'Rogue Agent' vulnerability (CVE 2026 4764) was a privilege escalation chain in Google Cloud's Dialogflow CX that allowed an attacker with edit rights on one agent to inject malicious Python code into shared Playb... Varonis discovered the issue in November 2025.

Create a landscape editorial hero image for this Studio Global article: Search & fact-check with cited sources for What was the "Rogue Agent" vulnerability disclosed by Varonis Threat Labs in Google Cloud's Dialo. Article summary: **Answer:** The "Rogue Agent" vulnerability was a critical privilege-escalation chain in Google Cloud's Dialogflow CX that let an attacker with edit rights on one agent inject malicious Python code into shared Playbook C. Topic tags: general, government, documentation, general web, user generated. Style: premium digital editorial illustration, source-backed research mood, clean composition, high detail, modern web publication hero. Use reference image context only for broad subject, composition, and topical grounding; do not copy the exact image. Avoid: logos, brand marks, copyrighted characters, real person likenesses, fake screenshots, UI text, readable text,
A critical vulnerability chain in Google Cloud's Dialogflow CX, dubbed Rogue Agent, could have allowed an attacker with only edit permissions on a single chatbot agent to silently hijack conversations, steal sensitive data, and compromise every other AI agent in the same cloud project.
Security firm Varonis Threat Labs discovered the flaw in late 2025 and worked with Google to patch it before any known exploitation occurred. Here is what happened, how it worked, and what it means for the security of multi-agent AI systems.
Dialogflow CX is Google Cloud's flagship platform for building conversational AI agents — chatbots and voice assistants used by enterprises for customer support, financial services, and healthcare . A key feature is Playbooks, which let developers control agent behavior by attaching inline Code Blocks — snippets of Python code that run inside the agent's pipeline
.
Varonis discovered that these Code Blocks lacked proper isolation between agents . The attack chain worked as follows:
dialogflow.playbooks.update permission on one Code Block-enabled agent could craft a malicious playbook import CVE-2026-4764 describes the core root cause: a missing authorization check in the playbook import functionality . The vulnerability carries a CVSS score of 9.4, marking it as a critical security risk
.
Once the malicious code was running inside a victim agent, the attacker could :
Google confirmed that no customer action was required for the patches .
Varonis identified that the isolation between agents sharing Code Block runtimes was fundamentally insufficient . Even after fixing the import authorization, the architecture itself allowed cross-agent code execution if any single agent was compromised — a design-level issue that required the second patch in June 2026 to fully address.
Google also added a prompt security check setting in the agent configuration to help detect and block prompt-injection attacks that could be used as part of similar exploitation chains in the future .
There is no evidence the vulnerability was ever exploited in the wild before the patch . A Google Cloud spokesperson confirmed: "We have no known indication of customer compromise. No customer action is required."
The Rogue Agent vulnerability is a stark reminder that the security models underlying many AI agent platforms have not yet caught up with the complexity of multi-tenant, code-executing environments. As more enterprises deploy conversational AI agents that can run custom code, the shared-runtime attack surface becomes a critical concern.
Organizations using Dialogflow CX should verify that prompt security checks are enabled and audit which identities have
dialogflow.playbooks.update permissions — the single permission that could have started this attack chain .
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
The 'Rogue Agent' vulnerability (CVE 2026 4764) was a privilege escalation chain in Google Cloud's Dialogflow CX that allowed an attacker with edit rights on one agent to inject malicious Python code into shared Playb...
The 'Rogue Agent' vulnerability (CVE 2026 4764) was a privilege escalation chain in Google Cloud's Dialogflow CX that allowed an attacker with edit rights on one agent to inject malicious Python code into shared Playb... Varonis discovered the issue in November 2025. Google issued an initial patch in March 2026 (CVE 2026 4764) and a complete fix by June 2026.