Confused-Deputy Vulnerabilities in Modern Systems
- Confused-deputy behavior is a security flaw where an unprivileged actor manipulates a privileged agent to perform unauthorized operations on secure resources.
- It manifests across diverse systems including LLM-based applications, cloud APIs, mobile autofill, edge AI accelerators, and smart contracts through crafted malicious inputs.
- Mitigations involve strict access control, context partitioning, and dynamic validation to effectively counter privilege escalations and integrity breaches.
Confused-deputy behavior denotes a security failure in which a privileged system component or agent (the "deputy") is tricked, by a less-privileged actor, into misusing its authority—often violating the intended access-control or integrity guarantees. The term originates in Hardy’s 1988 formulation for capability systems, but in recent research, its instantiations span LLM-based agents, retrieval-augmented generation (RAG) systems, agent toolchains, autofill frameworks, cloud APIs, edge AI accelerators, GUI automation, and smart contracts. Across these domains, the core pattern is consistent: an attacker supplies input (directly or indirectly) that induces a more-privileged intermediary to perform privileged operations on the attacker’s behalf, with violations including data exfiltration, integrity compromise, and privilege escalation (RoyChowdhury et al., 2024, Wang et al., 30 May 2026, Oesch et al., 2021, Liu et al., 16 Mar 2026, Li et al., 12 Mar 2026, Danduri et al., 18 May 2026, Zuvic, 27 Jun 2026, Hwang et al., 5 Feb 2025, Yao et al., 2024).
1. Formal Definition and Generalized Models
The archetypal confused-deputy attack involves three principals: an attacker (A), the deputy (D, with greater privilege), and some resource belonging to an owner (O). D is expected to enforce policy Π mediating A’s requests to O’s resources, only granting access according to Π. The confused-deputy flaw emerges when A induces D to access or modify R′—a resource under O’s protection—not through direct access, but through D's privileged mediation. In formalized agent architectures, this can be expressed as follows: for agents with privilege sets , a confused-deputy event occurs if with such that induces to perform an action on a resource , with failing to mediate the delegation request against policy (Li et al., 12 Mar 2026).
For smart contracts, the SCIF framework defines an ℓ-confused-deputy event at a call site if (the call succeeds) but (the caller is not trusted at the required authority level), capturing the integrity leakage (Yao et al., 2024).
In LLM/pluggable tool agent architectures, confused-deputy manifestations arise when untrusted model output or user-controlled context results in dispatching a privileged tool with arguments unchecked by any deterministic access-control policy (Zuvic, 27 Jun 2026).
2. Manifestations Across System Domains
RAG and LLM-based Systems
In RAG settings, such as enterprise deployments of Copilot, the LLM and its retrieval subsystem serve as deputies. An adversarial user (often an insider) can insert crafted instructions into shared documents. Upon retrieval and prompt construction, these embedded adversarial directives are concatenated directly into the LLM’s prompt alongside genuine context and the user query. The model, unable to distinguish between genuine data and adversarial instruction due to lack of syntactic or semantic boundaries, executes attacker-supplied logic—yielding both integrity violations (misinformation propagation, citation suppression) and confidentiality failures (continual leakage from stale vector index windows) (RoyChowdhury et al., 2024).
Multi-tenant LLM Apps and Context Poisoning
In ecosystems like ChatGPT Apps, cross-app context poisoning arises when an unprivileged or malicious app injects adversarial content into the flat, unpartitioned shared chat context. The orchestrator LLM is then induced to invoke side-effecting tools or benign co-resident apps with attacker-selected parameters—functionalized as 0—with no provenance-aware boundary (Wang et al., 30 May 2026).
Autofill Frameworks
On mobile platforms, both iOS and Android autofill services exemplify the confused-deputy pattern. Autofill frameworks, privileged to access the user’s decrypted credential vault, can be induced by attacker-controlled apps or webviews to inject secrets into malicious contexts, misleadingly validated only by superficial or incomplete checks (such as user consent or loose app-domain associations), failing to ensure that the real destination is legitimate (Oesch et al., 2021).
Edge AI Accelerators
AIAs, such as TPUs and NPUs, are often decoupled from system-level memory protection. User-mode applications can hand the AI accelerator a handle (e.g., SMID) to privileged physical pages, bypassing OS-enforced boundaries due to the accelerator’s lack of context about host memory ownership, thus implementing a semantic gap that yields classic confused-deputy escalations (Danduri et al., 18 May 2026).
Instruction-Following LLMs and Instructional Distraction
LLMs trained to privilege explicit instruction-following easily mistake instructional phrases embedded in input as commands to execute, “elevating” attacker-supplied or distractor instructions embedded in user data above the true order, leading to output that satisfies the attacker's request or distractor instructions rather than following user intent—a privilege confusion at the semantic level (Hwang et al., 5 Feb 2025).
Smart Contracts
Smart contract ecosystems, especially those supporting open and dynamic invocation (e.g., Solidity/EVM), are susceptible to confused-deputy vulnerabilities manifested through misrouted authority in multi-contract transactions. Without strong, statically enforced integrity labels and type matching, deputies can be tricked into signing transactions or calls with excessive authority, as shown in the Dexible attack and defeated via SCIF’s label-flow and cast verification (Yao et al., 2024).
3. Concrete Attack Classes and Empirical Findings
| Domain | Mechanism | Privilege Escalation Vector |
|---|---|---|
| RAG systems | Prompt injection, cache staleness | Embedded instructions, phantom doc leaks |
| Multi-tenant LLM apps | Context poisoning via APIs | Cross-app tool invocation with attacker-chosen params |
| Autofill frameworks | Weak origin binding | Credential phishing via app/webview |
| Edge AI accelerators | Zero-copy DMA, semantic gap | Arbitrary host memory access by AIA |
| LLM toolchains | Schema-gated (not policy-gated) calls | Side-effecting action with attacker-defined arguments |
| Smart contracts | Open invocation/cast confusion | High-integrity contract misused with attacker input |
Experimental results confirm the broad feasibility of confused-deputy exploitation:
- ConfusedPilot observes output flipping to attacker’s injected context within 1 s (benign:malicious=100:1) and secret leakage via phantom documents within similar windows (RoyChowdhury et al., 2024).
- Edge AI accelerators: 6 out of 7 tested vendor platforms found vulnerable, covering over 100 million SOCs; full kernel memory read/write via DMA handle manipulation (Danduri et al., 18 May 2026).
- ScopeGate’s five-stage per-call authorization blocks 100% of unauthorized tool-invocation attempts across both static and adaptive attack regimes, while default LLM-agent frameworks allow all well-typed (schema-valid) calls, regardless of argument provenance (Zuvic, 27 Jun 2026).
- Instructional distraction: DIM-Bench shows average LLM “distraction accuracy” below 0.5 across all instruction types, with near-0 accuracy for QA distractors, confirming systemic semantic privilege confusion (Hwang et al., 5 Feb 2025).
4. Architectural Root Causes
Confused-deputy vulnerabilities share recurring root causes:
- Absence of data/control separation: retrieved or embedded user/modifier content is directly concatenated with control instructions; the agent or model cannot syntactically or semantically distinguish intended privilege boundaries (RoyChowdhury et al., 2024).
- Flat, untagged context: in multi-tenant agent systems, all agent, app, and user messages are pooled into undifferentiated history, precluding per-principal mediation (Wang et al., 30 May 2026).
- Schema-only capability gating: tool invocation gates only on allowed function signatures or schemas, not on runtime argument values; thus the LLM can emit any allowed JSON-formatted call, regardless of intent or privilege, recreating the classic confused deputy (Zuvic, 27 Jun 2026).
- Semantic gap in privileged hardware: accelerators operate oblivious to higher-level OS permissions, enabling arbitrary mapping by unprivileged clients who control DMA descriptors (Danduri et al., 18 May 2026).
- Information-flow type subversion: in open-code ecosystems (smart contracts, plugin systems), type confusion or mismatched signature labels can relay authority across boundaries (Yao et al., 2024).
5. Representative Defenses and Mitigations
Research proposes a spectrum of mitigations:
- Prompt sanitization in RAG: filtering or removing directive-like phases from context before concatenation, enforcing structured (API, side-channel) injection rather than plain-text merges; dynamic information-flow monitors that enforce chunk tagging and policy at inference (RoyChowdhury et al., 2024).
- Context provenance and partitioning: in LLM app frameworks, stamping each message with principal origin and tool-linearization during context assembly; per-app sub-contexts with filtered mediation across boundaries (Wang et al., 30 May 2026).
- Deterministic policy enforcement: tools such as ScopeGate enforce per-invocation access checks, combining static tool allowlists with runtime argument-level vetos, monetary ceilings, idempotency keys, and default-deny behavior for side-effects (Zuvic, 27 Jun 2026).
- On-demand validation in AI accelerators: AIAs must validate that memory identifiers map to current-process-owned pages before executing DMA, amortized with local caches for low overhead (~15%) (Danduri et al., 18 May 2026).
- Strong information-flow type systems (e.g., SCIF): static and dynamic checks for label flow and cast congruence; disallowing raw address-based invocations and enforcing explicit, trusted interface methods (Yao et al., 2024).
- Multi-layered defense stack for agents: input anomaly detectors, model-level hierarchical instruction restrictions, sandboxing, and blocklist/allowlist enforcement at system boundaries—combined for defense-in-depth (Li et al., 12 Mar 2026).
- For autofill, confidential credential mediation via bidirectional app-domain binding, strong context auditing, send-time credential injection, and JavaScript isolation for filled fields (Oesch et al., 2021).
- Explicit instruction-priority mechanisms for LLMs (prompt tuning, datasets that emphasize following only top-level instructions), though practical efficacy remains limited (Hwang et al., 5 Feb 2025).
6. Implications and Future Directions
Confused-deputy failures occupy a central position in the evolving threat landscape of LLM- and agent-based systems, agentic software, and automated toolchains. Their persistence across domains reflects deep architectural challenges—absence of privilege-aware context boundaries, reliance on convention rather than enforceable policy, and conflated data-control planes. Empirical studies repeatedly demonstrate that default configurations in major open-source and commercial frameworks leave systems wide open to these attacks.
Notable forward-looking directions from current research include:
- Development of formal delegation and privilege models integrated directly into agent and agent-framework architectures, such that authority boundaries are explicit and enforceable.
- Dynamic adversarial benchmarks and risk-adaptive access models to quantify and harden against adaptive attacks (Li et al., 12 Mar 2026).
- Provably compositional type-and-label enforcement in open systems, as exemplified by SCIF, to defend against both known and future confused-deputy patterns in complex contract workflows (Yao et al., 2024).
- Robust provenance and call mediation for both model-based and tool-based actors, ensuring access and control flows are not subverted by attackers manipulating shared context or embedding crafted instructions (Wang et al., 30 May 2026, Zuvic, 27 Jun 2026).
- Cross-domain migration of proven architectural patterns (e.g., context partitioning from OSes to agentic LLM contexts; fine-grained mandatory access control from cloud infrastructure to LLM toolchains).
The defense-in-depth principle remains paramount: no single technique suffices, but layering precise authorization, sandboxing, origin/provenance tracking, input-control, and robust policy enforcement can collectively minimize the risk posed by confused-deputy failures in next-generation AI systems.
References:
- (RoyChowdhury et al., 2024) ConfusedPilot: Confused Deputy Risks in RAG-based LLMs
- (Wang et al., 30 May 2026) Confused ChatGPT: Cross-App Context Poisoning via First-Party APIs
- (Oesch et al., 2021) The Emperor's New Autofill Framework: A Security Analysis of Autofill on iOS and Android
- (Liu et al., 16 Mar 2026) Visual Confused Deputy: Exploiting and Defending Perception Failures in Computer-Using Agents
- (Li et al., 12 Mar 2026) Security Considerations for Artificial Intelligence Agents
- (Danduri et al., 18 May 2026) Speed Kills: Exploring Confused Deputy Attacks Through Edge AI Accelerators
- (Zuvic, 27 Jun 2026) Capability Gates Are Not Authorization: Confused-Deputy Failures in LLM Agent Frameworks
- (Hwang et al., 5 Feb 2025) LLMs can be easily Confused by Instructional Distractions
- (Yao et al., 2024) A Language for Smart Contracts with Secure Control Flow (Technical Report)