Privilege Escalation Vulnerability in Google Cloud's Dialogflow CX
CVE-2025-12952

8.7HIGH

Key Information:

Vendor: Google Cloud
Status: Dialogflow Cx
Vendor: CVE Published:; 10 December 2025

🔔 Create Google Cloud Vulnerability Alert

What is CVE-2025-12952?

A privilege escalation vulnerability exists in Google Cloud's Dialogflow CX, where developers with Webhook editor permissions can misconfigure Webhooks using Dialogflow service agent access tokens. This misconfiguration allows unauthorized elevation of privileges from agent-level to project-level, enabling attackers to gain access to manage resources linked to the project. Such access could lead to unexpected operational costs and depletion of resources within the affected project. A server-side fix was deployed in February 2025, eliminating this vulnerability without requiring any customer action.

Affected Version(s)

Dialogflow CX 0 < 2025-02

References

https://docs.cloud.google.com/dialogflow/docs/release-not...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2025
Vulnerability Reserved
Nov 10, 2025

Credit

asterfiester

JSON