Multiple reports describe a vulnerability in Google’s Dialogflow CX that could allow an attacker to hijack AI conversation flows. Security researchers report that the issue, referred to as “Rogue Agent,” could be exploited by someone who has edit rights on a Dialogflow CX agent that uses the Code Block feature. If successfully exploited within the same Google Cloud project, the attacker could potentially affect other Code Block-enabled agents, rather than being limited to the one agent they directly can edit.

According to the reports, exploitation could let the attacker silently manipulate what the chatbot says and does during live interactions. The attacker could potentially access conversation content and the data users provide, which creates exposure for confidential information. The reports also state that the compromised bots could be induced to send attacker-authored messages to users. One example mentioned is prompting users to re-enter a password, which could facilitate account or credential compromise.

The vulnerability is attributed to findings by Varonis, with outlets describing the potential impact across agents inside the same Google Cloud project under the described conditions.