The multi-agent AI stack has a contagion problem, and it is shipping as a feature. When a platform runs every agent in a project on one shared runtime, a permission to edit one chatbot becomes a permission to edit them all. Call it permission contagion: a small, ordinary edit right, planted in a single agent, bleeds outward through the runtime until it can read every conversation, impersonate every other model, and exfiltrate credentials from the whole project.
Varonis's research on Google's Dialogflow CX is the cleanest live specimen of the pattern. TechRadar's reporting on the disclosure puts the fix at seven months — initial patch in April 2026, full resolution in June 2026 — because the platform's defaults were the bug. One shared Cloud Run service hosted every agent's custom code with no sandbox, a writable filesystem, public internet egress, and default excess privilege, while Cloud Logging watched none of it. A single low-privilege edit became project-wide takeover, invisible in the audit trail.
The structural lesson is what the wires keep missing. Strongest read: any team buying, building, or auditing a multi-agent product should assume the same defaults until proven otherwise — segregate runtimes, sandbox custom code, audit cross-agent behavior, and treat shared cloud logging as a known detection gap, not a monitoring solution. The fix closes one door. The pattern is the whole hallway.
Reported by Sky for Type0, from Experts say they were able to create a rogue agent in Google's AI platform with just a single edit permission. Read the original: techradar.com