Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Network-reachable Google API (AV:N), no special conditions beyond a low-tier Dialogflow role (AC:L, PR:L), no user interaction, and impact crosses from the service to the entire GCP project (S:C with C/I/A:H).
Primary rating from Vendor (GoogleCloud).
CVSS VectorVendor: GoogleCloud
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Lifecycle Timeline
2DescriptionCVE.org
A Missing Authorization vulnerability in the playbook import functionality in Dialogflow CX on Google Cloud Platform allows an authenticated user with specific roles to escalate privileges and potentially take over a GCP project using a maliciously crafted playbook import.
This vulnerability was patched on 15 March 2026, and no customer action is needed.
AnalysisAI
Privilege escalation in Google Cloud Dialogflow CX allows authenticated users holding specific IAM roles to abuse the playbook import functionality and potentially take over the entire GCP project. Google has confirmed the issue was patched server-side on 15 March 2026 with no customer action required, and no public exploit has been identified at time of analysis.
Technical ContextAI
Dialogflow CX is Google Cloud's advanced conversational AI platform for building virtual agents, where 'playbooks' are reusable configurations describing agent behavior that can be imported between projects. The root cause maps to CWE-862 (Missing Authorization): the playbook import code path failed to enforce a sufficient authorization check on the importing principal, allowing a caller with lower-tier Dialogflow roles to perform actions that should have been gated behind project-level permissions. The CPE cpe:2.3:a:google_cloud:dialogflow_cx confirms the flaw lives in the managed cloud service rather than a downloadable component, meaning fix deployment is centralized at Google.
RemediationAI
Patch available per vendor advisory: Google has remediated the playbook import authorization check in the managed Dialogflow CX service as of 15 March 2026, and the official guidance in https://docs.cloud.google.com/dialogflow/docs/release-notes#May_07_2026 explicitly states no customer action is required. Customers concerned about prior exposure should still review Cloud Audit Logs for unexpected dialogflow.googleapis.com playbook import calls performed by lower-privileged principals between service GA and 15 March 2026, and tighten IAM bindings so that only trusted principals hold Dialogflow editor-tier roles in production projects - the trade-off being added friction for legitimate conversational-AI developers.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36221
GHSA-6c66-33pw-q83j