Last updated: July 2026 · Orchesis reference

Confused Deputy Attack in Agentic AI

A confused deputy attack in agentic AI is when an attacker tricks a privileged AI agent into misusing its legitimate authority on the attacker's behalf. The agent is the "deputy": it holds credentials, tokens, and permissions, and the attacker manipulates it into accessing data or performing actions the attacker could never do directly — because the agent acts on its own authority without checking who the request is truly for. It is a decades-old access-control flaw (first described in 1988) now reappearing in AI agents and the Model Context Protocol, where agents freely forward tokens and chain tool calls. The core defense is per-tool least-privilege scoping and explicit checks on the intended audience of every credential.

How the confused deputy problem works

A deputy is any program that acts on behalf of others while holding more privilege than the requester. It becomes "confused" when it cannot tell whose authority a given request should use. An AI agent is a powerful deputy: it has broad tool access and often carries the user's OAuth token. If an attacker (through prompt injection, a poisoned tool, or a crafted input) gets the agent to perform a privileged action, the agent uses its own permissions — not the attacker's — so access checks pass.

Confused deputy in MCP

In MCP, the problem shows up two ways. First, token forwarding: an agent passes its user's OAuth token to an MCP server or tool that should not receive it, letting that tool act with the user's full authority. Second, tool chaining: one tool's output induces the agent to call a second, more privileged tool, laundering the request through the agent's permissions. Both exploit the agent's failure to bind authority to the true requester.

How to prevent a confused deputy attack

  1. Per-tool scoped tokens — issue short-lived, least-privilege credentials to each tool instead of forwarding broad user tokens.
  2. Audience and origin checks — verify that a token's intended audience matches the tool receiving it.
  3. Explicit user intent — require human approval before the agent uses high-privilege authority for a new destination.
  4. Isolate untrusted input — treat tool descriptions and results as untrusted so injected instructions cannot redirect the agent's authority.
  5. Log the authority chain — record which credential was used for each action to detect misuse.

Context

The confused deputy problem is a classic capability-security concept (Norm Hardy, 1988) and maps directly onto OWASP's agentic-AI risks around excessive agency and identity. In agentic systems, it is closely related to token theft and excessive agency, and it is catalogued in the CASURA taxonomy of AI-agent vulnerabilities. The practical lesson: an agent's authority must be bound to the real requester, not to whatever input most recently reached the model.

Sources: OWASP Agentic Security Project · Model Context Protocol specification · CASURA taxonomy (Orchesis). Reference maintained by Orchesis, an open-source AI-agent security proxy.