Confused Deputy Problem (MCP)
A privilege-escalation vulnerability pattern unique to **federated MCP architectures** where an MCP proxy/gateway connects to a downstream third-party API using a *static* Client ID. A malicious MCP client exploits the combination of dynamic client registration, the proxy's static Client ID, and shared OAuth consent cookies to coerce the proxy server into requesting authorization codes from a downstream service — without the legitimate resource owner ever consenting. The proxy's elevated privileges become the attack vector.
Definition
A privilege-escalation vulnerability pattern unique to **federated MCP architectures** where an MCP proxy/gateway connects to a downstream third-party API using a *static* Client ID. A malicious MCP client exploits the combination of dynamic client registration, the proxy's static Client ID, and shared OAuth consent cookies to coerce the proxy server into requesting authorization codes from a downstream service — without the legitimate resource owner ever consenting. The proxy's elevated privileges become the attack vector.
Recent developments
- The Apache Polaris credential-vending CVEs (May 2026) are a textbook confused-deputy attack outside the MCP context, generalizing the pattern this node describes. The catalog is the deputy: it holds broad cloud IAM authority and is supposed to hand out narrowly scoped credentials on a caller's behalf. In CVE-2026-42810 (CVSS 9.9 on 3.1) the attacker supplies a crafted table name with literal wildcard characters, tricking the deputy into generating an over-scoped S3 policy and vending credentials that reach other tenants' data — the deputy exercises its authority on the attacker's behalf without realizing the request exceeds the caller's rights. It is the same structural flaw as an MCP server over-trusting tool inputs, just with cloud IAM as the confused authority and fixed in Polaris 1.4.1. Per CVE-2026-42810 (ThreatInt).
- MCP Security Best Practices explicitly enumerates Confused Deputy. The official MCP docs call it out as a top-tier vulnerability class, with recommended mitigations (per-client downstream credentials, strict consent-flow audit, isolation of dynamic-registration from privileged downstream access). Per MCP — Security Best Practices.
- Maps to OWASP MCP07 (Insufficient Authentication & Authorization) + MCP02 (Privilege Escalation via Scope Creep). Confused Deputy is the operational mechanism by which agents acquire unintended downstream capabilities. Per Practical DevSecOps — OWASP MCP Top 10 Risks.
- NSA cybersecurity advisory flags the Confused Deputy pattern. Per NSA — MCP Security Design Considerations.
- Architectural mitigation: per-tenant downstream credentials + consent-flow attestation. Production-grade MCP gateways now ship with strict per-client OAuth state isolation; static-Client-ID proxy mode is treated as legacy / deprecated.