External risk intelligence

Dialogflow CX Privilege Escalation via Playbook Import.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-4764

A critical vulnerability in Dialogflow CX allowed authenticated users to escalate privileges and potentially take over a GCP project by importing a malicious playbook. This issue has been patched, and no customer action is needed.

1Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-4764

The vulnerability exists within the backend functionality of a managed cloud service platform (Dialogflow CX) and requires an authenticated user with specific roles to perform the action. It is not an internet-facing endpoint reachable by public users, as it is restricted to authenticated users within the internal management environment of the cloud provider's service.

PCI scan relevance

PCI Relevance for CVE-2026-4764

Yes

CVE-2026-4764 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves missing authorization and privilege escalation, which are types of issues that typically cause an ASV scan to fail under PCI DSS requirements.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability in Dialogflow CX, a Google Cloud Platform service, allowed authenticated users to escalate privileges by importing a specially crafted playbook, potentially leading to project takeover. This issue has been resolved.

  • A security flaw enabled privilege escalation via playbook import.
  • Leadership should recall this as a cloud service risk example.
  • Confirm relevance and exposure for Dialogflow CX usage.

Attack Path

How an attacker could exploit the issue

An authenticated user with specific administrative roles could exploit this vulnerability by importing a specially crafted playbook. This action targets the playbook import feature within Dialogflow CX, leading to privilege escalation and potential control over a Google Cloud Platform project. The attacker starts with legitimate access and leverages a weakness in how the system validates authorization for playbook imports.

  • Requires authenticated user with specific roles.
  • Triggered by importing a malicious playbook.
  • Leads to privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user with specific roles could potentially escalate their privileges within Dialogflow CX, enabling them to gain control over a Google Cloud Platform project. This could occur when a user with the necessary permissions imports a specially crafted playbook.

  • GCP project control could be at risk.
  • Malicious playbook imports could enable this.
  • Project takeover is a potential consequence.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

For this vulnerability, the platform team managing Dialogflow CX on Google Cloud Platform is primarily responsible for remediation, as the issue lies within the managed service itself. Since the vulnerability was patched on March 15, 2026, and no customer action is required, the immediate practical move is to confirm that the patch has been successfully deployed and that the service remains secure.

  • Platform team owns the vulnerability.
  • Verify successful patch deployment.
  • Monitor service health and integrity.

Frequently asked questions

What is Dialogflow CX?

Dialogflow CX is a Google Cloud Platform service used for building advanced conversational artificial intelligence agents. It enables developers to design and manage complex, multi-turn virtual agent applications, such as chatbots or voice assistants, which can handle sophisticated customer interactions and integrate with other cloud-based workflows.

How does CVE-2026-4764 impact system security?

This vulnerability is classified as Missing Authorization (CWE-862). In plain terms, the system failed to properly check if a user had permission to perform a specific action. By importing a maliciously crafted playbook, an authenticated user could bypass security controls, escalate their privileges, and potentially gain full control over the associated Google Cloud project.

Do I need to import a playbook to trigger this?

Yes. The vulnerability is tied specifically to the playbook import functionality. It cannot be triggered by simply interacting with a chatbot or using standard conversational features. Furthermore, it requires an authenticated user who already possesses specific administrative roles to initiate the import, meaning it is not accessible to a random or unauthorized visitor.

Is this vulnerability reachable from the internet?

According to Halo Surface Signal, this is considered very unlikely. Because the flaw resides in the backend of a managed cloud service and requires pre-existing authentication and specific roles, it is not an internet-facing endpoint open to the public. It is contained within the internal management environment of the cloud provider's service.

What should I do to address this CVE?

No action is required on your part. Google addressed this issue directly within the managed service infrastructure on March 15, 2026. As the platform provider handles the remediation for this type of backend cloud flaw, you only need to verify that your service is operating normally and continue following standard operational health monitoring practices.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished