Varonis disclosed a vulnerability in Google's Dialogflow CX platform that allowed attackers to extract sensitive data from AI chatbots through rogue agent creation. The flaw enabled unauthorized access to conversation logs, user inputs, and backend system details without requiring authentication or elevated permissions.
The vulnerability stemmed from insufficient access controls on agent creation functionality. An attacker could instantiate malicious agents within a Dialogflow CX environment, then extract data flowing through legitimate chatbot conversations. This posed direct risk to organisations deploying customer service bots, virtual assistants, and conversational AI systems that handle personally identifiable information or proprietary business data.
Varonis reported the flaw to Google in late 2025. Google has patched the vulnerability. The company has not disclosed detailed technical specifications of the attack vector, typical for responsible disclosure practices involving major cloud providers.
The incident underscores a broader security gap in AI infrastructure deployments. Many organisations treating generative AI and chatbot platforms as isolated services fail to apply fundamental access control principles. Dialogflow CX sits within Google Cloud's broader ecosystem, meaning compromised instances could potentially provide pivot points into connected GCP resources or downstream systems.
Defenders should audit their Dialogflow CX configurations immediately. Key actions include restricting agent creation permissions to authorised personnel only, implementing role-based access controls (RBAC) aligned with least-privilege principles, and enabling Cloud Audit Logs to detect unauthorized agent instantiation attempts. Organisations should also review conversation data retention policies and classify what information flows through their chatbots.
The Varonis research also highlights dependency risk. Many organisations lack visibility into third-party AI services their teams deploy. Shadow AI adoption compounds the problem. Teams stand up chatbots or language model integrations without security oversight, creating unmonitored data exfiltration paths.
Google Cloud customers running Dialogflow CX should verify
