Pain Point

Confused Deputy Problem (MCP)

A privilege-escalation vulnerability pattern unique to **federated MCP architectures** where an MCP proxy/gateway connects to a downstream third-party API using a *static* Client ID. A malicious MCP client exploits the combination of dynamic client registration, the proxy's static Client ID, and shared OAuth consent cookies to coerce the proxy server into requesting authorization codes from a downstream service — without the legitimate resource owner ever consenting. The proxy's elevated privileges become the attack vector.

7 connections 1 post

Definition

What it is

A privilege-escalation vulnerability pattern unique to **federated MCP architectures** where an MCP proxy/gateway connects to a downstream third-party API using a *static* Client ID. A malicious MCP client exploits the combination of dynamic client registration, the proxy's static Client ID, and shared OAuth consent cookies to coerce the proxy server into requesting authorization codes from a downstream service — without the legitimate resource owner ever consenting. The proxy's elevated privileges become the attack vector.

Recent developments

Latest signals
  • MCP Security Best Practices explicitly enumerates Confused Deputy. The official MCP docs call it out as a top-tier vulnerability class, with recommended mitigations (per-client downstream credentials, strict consent-flow audit, isolation of dynamic-registration from privileged downstream access). Per MCP — Security Best Practices.
  • Maps to OWASP MCP07 (Insufficient Authentication & Authorization) + MCP02 (Privilege Escalation via Scope Creep). Confused Deputy is the operational mechanism by which agents acquire unintended downstream capabilities. Per Practical DevSecOps — OWASP MCP Top 10 Risks.
  • NSA cybersecurity advisory flags the Confused Deputy pattern. Per NSA — MCP Security Design Considerations.
  • Architectural mitigation: per-tenant downstream credentials + consent-flow attestation. Production-grade MCP gateways now ship with strict per-client OAuth state isolation; static-Client-ID proxy mode is treated as legacy / deprecated.

Connections 7

Outbound 5
scoped_to1
Model Context Protocol (MCP)
is_a1
Confused Deputy Problem (MCP)
governed_by1
OWASP MCP Top 10
constrained_by2
MCP GatewayConfused Deputy Problem (MCP)
Inbound 2
is_a1
Confused Deputy Problem (MCP)
constrained_by1
Confused Deputy Problem (MCP)

Featured in

2026-05-28 Answering the Memory Wall: 40 New Nodes Across the May 2026 AI Memory Inflection The Memory Wall has been a named pain point on this index for months. The May 2026 inflection is the industry's answer in four cohesive movements — memory governance, KV-cache mechanics, the MCP orchestration layer, and durable agent runtimes. This post is the field report on the 40 new nodes added to the index over the past 48 hours: what each cluster covers, what they share, and why the answer surface had to land all at once.