CVE-2025-13427
Authentication Bypass in Google Dialogflow CX Messenger Enables Unauthorized Access
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: GoogleCloud
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cloud_dialogflow | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in Google Cloud Dialogflow CX Messenger that allows unauthenticated users to interact with restricted chat agents. By manipulating initialization parameters or crafting specific API requests, attackers can gain access to the agents' knowledge and trigger their intents without proper authentication.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users to access restricted chat agents, potentially exposing sensitive information contained in the agents' knowledge base and enabling attackers to trigger actions or intents that should be protected. This could lead to information disclosure or unintended operations within the affected system.
What immediate steps should I take to mitigate this vulnerability?
Update to the latest version of Google Cloud Dialogflow CX Messenger released after August 20th, 2025, as these versions have been updated to protect from this vulnerability. No additional user action is required beyond applying this update.