How is CVE-2026-4764 exploited?

Network reachability (required): The attacker must reach the Dialogflow CX API over the network; the vulnerable import endpoint is exposed as a standard over-the-network API surface. Authentication (required): A low-privilege GCP account with specific Dialogflow CX roles is sufficient; no admin credentials are needed to initiate the attack. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed; the attacker submits the malicious playbook import directly. Attack complexity (info): Exploit complexity is low: the attack is reliable and requires no race conditions, special memory layout, or other environmental preconditions.

What is the impact of CVE-2026-4764?

Attacker reads all data stored in the GCP project, including secrets, service-account keys, and customer records accessible to the project. Attacker modifies or deletes GCP project resources, including IAM bindings, storage buckets, and database contents. Attacker disrupts availability of Dialogflow CX agents and dependent GCP services within the project. Because the CVSS v4 subsequent-system scores are all High, attacker actions can propagate beyond Dialogflow CX to other services sharing the same GCP project identity.

Back to search

CRITICALCVE-2026-4764Published 2026-06-11Modified 2026-06-11CNA GoogleCloud

CVE-2026-4764: Privilege Escalation in Dialogflow CX via Playbook Import

A Missing Authorization vulnerability in the playbook import functionality in Dialogflow CX on Google Cloud Platform allows an authenticated user with specific roles to escalate privileges and potentially take over a GCP project using a maliciously crafted playbook import. This vulnerability was patched on 15 March 2026, and no customer action is needed.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: 2026-03-15
Affected Products: 1

HarborGuard Analysis

Synopsis

A missing authorization vulnerability in the playbook import functionality of Dialogflow CX on Google Cloud Platform allows an authenticated user to escalate privileges and take over the GCP project. The attack is reachable over the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of both the Dialogflow CX service and the broader GCP project scope. A patched-image rebuild at fix version 2026-03-15 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Dialogflow CX client libraries or adjacent GCP tooling. Any image with a dependency version predating 2026-03-15 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.4 (Critical) and can weight that score against each environment's compliance policy to set priority and route alerts to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at fix version 2026-03-15 is available on HarborGuard for any image identified as running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Dialogflow CX API over the network; the vulnerable import endpoint is exposed as a standard over-the-network API surface.
AuthenticationRequired
A low-privilege GCP account with specific Dialogflow CX roles is sufficient; no admin credentials are needed to initiate the attack.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker submits the malicious playbook import directly.
Attack complexityDetail
Exploit complexity is low: the attack is reliable and requires no race conditions, special memory layout, or other environmental preconditions.

Blast Radius

Attacker reads all data stored in the GCP project, including secrets, service-account keys, and customer records accessible to the project.
Attacker modifies or deletes GCP project resources, including IAM bindings, storage buckets, and database contents.
Attacker disrupts availability of Dialogflow CX agents and dependent GCP services within the project.
Because the CVSS v4 subsequent-system scores are all High, attacker actions can propagate beyond Dialogflow CX to other services sharing the same GCP project identity.

How HarborGuard Handles This

Available on HarborGuard: images containing Dialogflow CX dependencies predating 2026-03-15 are matched against this CVE at ingest time, with detection available within minutes of the advisory entering upstream feeds. Because this is a Critical-severity issue (CVSS 9.4), the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, runs regression tests, and opens a PR against affected workloads. Where compliance policy requires manual approval, the rebuild artifact and a pre-populated PR are staged and held for reviewer sign-off. Customers who have not yet updated should treat any Dialogflow CX deployment predating the 2026-03-15 patch date as fully compromised-privilege risk and review GCP IAM audit logs for unexpected role changes or playbook import events in the interim.

See how HarborGuard automates this

Fix available

2026-03-15

Affected packages

Google Cloud / Dialogflow CX
< 2026-03-15 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear

References

docs.cloud.google.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available