Confused Deputy¶
Core Idea¶
A confused deputy is a privileged intermediary that takes an action on its own authority while the intent behind that action originated with an outsider who lacks the authority to take it directly. The system reliably establishes who the actor is — the intermediary is correctly authenticated, its credentials are valid, its identity is not in dispute — but it loses track of whose wish the actor is executing. The outsider, unable to act on the target directly, addresses the intermediary in a way that causes it to act, and in doing so effectively borrows the intermediary's privileges. The defining failure is the loss of intent provenance: every action enters the record as "the intermediary did this," when the load-bearing question is "whose intent produced this."
The pattern carries four structural commitments. First, a triad: an outsider O with no authority over a target T, an intermediary I that does hold that authority, and the target T itself. Second, address-rather-than-execute — O cannot operate on T directly but can address I in a way that induces I to operate on T. Third, authority elision at the boundary — when I acts, what is recorded and checked is I's authority, not O's originating intent, so the two are silently fused. Fourth, a defence surface of intent-provenance rather than authentication — the corrective move is to carry the chain of who-actually-wanted-the-action forward through the call, not to verify more carefully who the actor is.
The structurally sharp way to see the failure is in terms of authority composition. When an action passes through an intermediary, its effective authority should be the intersection of the caller's authority and the intermediary's — the action is permitted only if both the originator and the executor were entitled to it. A confused-deputy system instead computes the union: the intermediary's ambient authority is applied to an intent it did not generate, and the originator's lack of authority is invisible. Any arrangement that grants an intermediary standing authority and then lets external parties direct that authority without re-checking the originator inherits the vulnerability, regardless of medium.
How would you explain it like I'm…
The Tricked Guard
Whose Wish Was It?
Borrowed Authority Failure
Structural Signature¶
an unauthorised outsider with intent — a privileged intermediary correctly authenticated — a target the outsider cannot reach directly — the address-rather-than-execute relation — the authority-elision at the boundary — the union-instead-of-intersection composition invariant
The pattern is present when each of the following holds:
- An outsider with intent. A party O wants an action taken on a target T but holds no authority to take it directly.
- A privileged intermediary. A component I does hold authority over T and is correctly authenticated; its identity is never in dispute.
- A target. The resource, artifact, or system T can be operated on only by a party holding authority over it.
- Address-rather-than-execute. O cannot operate on T directly but can address I in a way that induces I to operate on T, thereby borrowing I's privileges.
- Authority elision. When I acts, what is recorded and checked is I's authority, not O's originating intent; the two are silently fused, and intent provenance is lost.
- Union-not-intersection composition. The effective authority of the through-action should be the intersection of caller and intermediary authority, but the vulnerable system computes the union — applying I's ambient authority to an intent O could not have authorised.
The components compose so that the load-bearing question shifts from "who acted?" (identity, never in doubt) to "whose intent produced the act?" (provenance, silently dropped). Hardening authentication cannot help; the fix re-attaches intent provenance through the call. A non-obvious invariant follows: privilege on a directable intermediary is a liability — more authority enlarges what an outsider can borrow.
What It Is Not¶
- Not consent.
consentis a party's authorisation for an action affecting them; the confused deputy is the loss of intent provenance across an intermediary, where the system tracks who acted but not whose wish the actor executed. No defective consent is required — the intermediary's authority is valid. - Not trust.
trustis a relational expectation about another's behaviour; confused deputy is a composition failure where an intermediary's ambient authority is applied to an outsider's intent (union instead of intersection), regardless of trust relations. - Not authority delegation under uncertainty.
authority_delegation_under_uncertaintyconcerns how much discretion to grant; the confused deputy is the silent borrowing of an intermediary's authority by an unauthorised outsider, with the originator's lack of authority invisible. - Not reputation.
reputationaggregates a party's track record; confused deputy is a point-in-time authority-attribution failure, not a history-based judgement. - Not data integrity.
data_integrityis the property that content is uncorrupted; the confused deputy can act on perfectly intact data while mis-attributing the intent behind the action. - Common misclassification. Diagnosing the failure as an authentication problem and hardening identity verification. Catch it by noting that the intermediary's identity was never in dispute — what was dropped is intent provenance, so the fix carries the originator's authority forward, not stronger authentication.
Broad Use¶
- Information security (original setting): server-side request forgery (a server fetches an outsider-supplied URL and so reaches internal resources only the server can access); cross-site request forgery (a browser attaches the user's session cookie to a request an attacker's page initiated); signing-oracle attacks (a service signs attacker-supplied content because callers may invoke its signing routine); Hardy's 1988 compiler-billing example.
- Financial fraud: wire-transfer authorisation routed through a trusted treasurer's account, where a fraudster directs the treasurer's system so the bank sees the treasurer's authority rather than the fraudster's intent; CEO-impersonation phishing has the same shape.
- Agency law (apparent authority): an agent's act binds a principal when third parties reasonably believed the agent was authorised, even though the principal never intended the act — the principal's authority is exercised by an act whose intent originated elsewhere.
- Clinical authority chains: a senior clinician's signature converts a junior's instruction into an authoritative order; the act is attributed to the senior's authority even though the originating intent was the junior's.
- Voice assistants: a broadcast saying "order paper towels" causes a household device to act on the household's authority, because the device cannot separate household intent from ambient audio.
Clarity¶
Naming the pattern dissolves the seductive but mistaken defence "but the intermediary was properly authenticated." It shifts the diagnostic question from who acted? to whose intent produced the act? and makes a category error legible: hardening the intermediary's identity verification cannot address the failure, because identity was never in dispute. The clarifying force is to separate two things that ordinary language fuses — the identity of the actor and the provenance of the intent — and to locate the fix in the second. It also makes a counter-intuitive prediction explicit and checkable: privilege accumulated on an intermediary is not purely an asset. The more authority a confused deputy holds, the larger the attack surface an outsider can borrow, so adding capability to such an intermediary strictly worsens its exposure.
Manages Complexity¶
The pattern collapses a wide family of substrate-specific failures — SSRF, CSRF, wire fraud, apparent-authority disputes, voice-assistant exploits — into a single frame with a small, portable intervention vocabulary. Rather than treating each as its own problem with its own ad-hoc countermeasures, a diagnostician reasons about one structural defect (authority composing as union rather than intersection) and selects from three intervention families. Capability-based access carries the originating authority as an unforgeable token, so the intermediary acts on a capability the caller supplied rather than on ambient authority. Caller-aware authorisation has the intermediary explicitly check that the action is permitted for the caller, not merely permitted for itself. Two-person or out-of-band confirmation on intent adds a separate step verifying that the intent matches the actor. Each family is a different way of re-attaching intent provenance, and the choice among them depends on where in the chain the provenance was lost. The compression is real: one diagnosis and three interventions replace a sprawl of substrate-specific patches.
Abstract Reasoning¶
The prime trains a reasoner to ask, of any privileged intermediary: which actions does it take on its own authority, and for which of those did the intent originate externally? Does the intermediary's authority compose with the caller's by intersection (safe) or by union (vulnerable)? Where, exactly, was the originator's identity dropped from the record, and can it be re-attached before the consequential action fires? The governing structural fact is that authority delegation under uncertainty cannot be safely implemented by ambient intermediary authority alone — it requires either that the caller bring the authority (capability-passing) or that the intermediary interrogate the caller's entitlement (caller-aware checks). A second reasoning move follows from the union/intersection framing: any time a system grants standing authority to a component that external parties can direct, the analyst should suspect a latent confused deputy and look for the elision point. The pattern also inverts a common intuition about capability — more privilege on a directable intermediary is a liability, not a strength, because it enlarges what an outsider can borrow.
Knowledge Transfer¶
A diagnostician who has internalised the prime in one substrate carries the same move to any other. The procedure is invariant: enumerate the actions an intermediary takes on its own authority; identify those whose intent originated outside; ask whether the intermediary's authority composes with the originator's by intersection or by union; and if by union, introduce capability-passing, caller-aware authorisation, or out-of-band confirmation to re-attach intent provenance. The security engineer hardening an SSRF-prone service, the bank designing dual-control on wire transfers, the lawyer reasoning about apparent authority, and the hospital designing sign-off chains are performing the same structural work; only the names of the parties differ. The role mappings transfer cleanly — outsider ↔ attacker / fraudster / unauthorised junior / broadcast source; intermediary ↔ server / browser / treasurer's system / senior clinician / voice device; target ↔ internal resource / signed artefact / payment system / patient order; intent provenance ↔ session token / signature chain / dual-control record / authorisation chain. The transferred prediction is non-obvious and the same everywhere: accumulating privilege on a directable intermediary increases rather than decreases its vulnerability, the reverse of the usual "more capable is more useful" expectation. What stays substrate-specific is only the work of identifying what counts as the originating intent and where in the call chain it is dropped — once those are located, the intervention catalogue applies unchanged. This is why the capability-based fix Hardy proposed in 1988 reappears, structurally identical, as object capabilities, OAuth scopes done correctly, and prepared-statement parameter binding: each re-attaches the originator's authority to the action rather than relying on the intermediary's ambient privilege.
Examples¶
Formal/abstract¶
Server-side request forgery (SSRF) is the prime's cleanest worked instance, because it exhibits the union-not-intersection composition as an exact, checkable defect. The target T is an internal resource — a cloud metadata endpoint or an internal admin service — reachable only from inside the trust boundary. The privileged intermediary I is a public-facing application server that, by design, sits inside that boundary and is correctly authenticated to the internal network; its identity is never in doubt. The outsider O is an external user who has no authority to reach T directly. The address-rather-than-execute relation is the application feature that lets O supply a URL for the server to fetch — an image-preview or webhook function. O cannot connect to the metadata endpoint, but O can address the server with a URL pointing at it, inducing the server to fetch it. At the network boundary the authority elision occurs: the internal service sees a request arriving from the trusted application server's identity and authorises it on I's authority, with O's originating intent nowhere in the check. The composition that should govern the fetch is the intersection of O's authority (none over T) and I's authority (full) — which is empty, so the fetch should be denied. The vulnerable system instead computes the union, applying I's ambient internal access to an intent O supplied. The prime's diagnosis is decisive and corrects the tempting wrong fix: hardening the server's authentication cannot help, because the server's identity was never in dispute — what was dropped is intent provenance. The repair re-attaches provenance: validate the destination against an allowlist the caller could not have authority to expand, or carry the caller's (absent) authority forward so the empty intersection is enforced. The prime's non-obvious invariant also bites — the more internal services the application server can reach, the larger the surface O can borrow, so privilege on a directable intermediary is a liability.
Mapped back: SSRF instantiates every role of the signature — an unauthorised outsider with intent, a correctly authenticated privileged server, an unreachable internal target, the address-rather-than-execute URL feature, authority elision at the network boundary, and union-instead-of-intersection composition — and shows the fix lies in re-attaching intent provenance, not in stronger authentication.
Applied/industry¶
Business-email-compromise wire fraud and apparent authority in agency law are the same confused-deputy object on a financial-operations and a legal substrate, and reading both through the prime locates the fix where the standard instinct misses it. In the wire-fraud case the target T is the payment system; the intermediary I is a trusted treasurer or finance officer whose authority to initiate transfers is valid and undisputed; the outsider O is a fraudster impersonating the CEO by email. O cannot move money directly, but O can address the treasurer with an urgent instruction, inducing I to execute a transfer on I's own authority. The bank and the internal controls see the treasurer's valid authority — identity is never in doubt — while O's originating intent is silently fused in: the system computed the union of the treasurer's authority and an intent the treasurer did not independently generate. The prime makes the failure legible — this is not an authentication problem (the treasurer is exactly who they appear to be) but an intent-provenance problem — and points to the right intervention family: two-person / out-of-band confirmation on intent, where a second party verifies the originating request through a channel independent of the email, re-attaching provenance before the consequential action fires. In agency law, apparent authority is the identical structure: an agent (intermediary) binds a principal (target's authority) when a third party (outsider) reasonably believes the agent was authorised, even though the principal never formed the intent — the principal's authority is exercised by an act whose intent originated elsewhere. The legal system's mitigations (clear scope-of-authority notices, ratification requirements) are recognisably caller-aware authorisation: forcing a check that the act was authorised by the principal for this matter, not merely within the agent's standing power. A controls designer who has built dual-control on wire transfers and a lawyer reasoning about apparent authority are doing the same structural work — re-attaching whose intent produced the act — differing only in the names of the parties.
Mapped back: Wire fraud and apparent authority are the same union-not-intersection failure as SSRF — a correctly identified privileged intermediary acting on an outsider's intent while provenance is dropped — so in each the remedy is not better authentication but re-attaching intent provenance via out-of-band confirmation or caller-aware authorisation.
Structural Tensions¶
T1 — Intent Provenance versus Identity (Scopal). The prime's central reframing — the fix is provenance, not authentication — can over-correct into neglecting identity entirely. Both are required: a system that perfectly tracks originating intent but mis-authenticates the intermediary is just as broken. The failure mode is fixating on provenance plumbing while an identity gap reopens the hole from the other side. Diagnostic: confirm the intermediary's identity is genuinely never in dispute before declaring the problem purely provenance; where authentication is also weak, attestation of the actor and provenance of the intent are two separate controls, and the confused-deputy frame addresses only the second.
T2 — Intersection Semantics versus Functional Delegation (Sign/Direction). Computing effective authority as the intersection of caller and intermediary is the safe rule — but strict intersection can forbid legitimate delegation, where an outsider should be able to borrow narrow authority the intermediary holds (a user invoking a privileged service on purpose). The failure mode is over-applying intersection until useful delegation breaks, then re-introducing ambient authority as a workaround that recreates the vulnerability. Diagnostic: ask which borrowings are intended; the goal is not zero borrowing but scoped borrowing, where capability_separation-style tokens grant exactly the intended slice, distinguishing authorised delegation from confused-deputy elision.
T3 — Provenance Carried versus Provenance Trusted (Coupling). Re-attaching intent provenance assumes the provenance signal itself is trustworthy — but the outsider often controls the very channel that asserts intent (the email claiming to be the CEO, the URL claiming a benign destination). Carrying provenance forward is useless if the outsider can forge it. The failure mode is a system that faithfully propagates an attacker-supplied intent claim, laundering it into authority. Diagnostic: ask whether the provenance assertion originates from a source the outsider can spoof; where it does, the out-of-band confirmation must reach a channel independent of the outsider, since propagating a forgeable intent token just relocates the elision rather than closing it.
T4 — Privilege as Liability versus Privilege as Function (Sign/Evaluation). The prime's counter-intuitive invariant — more authority on a directable intermediary worsens exposure — is true but cuts against the intermediary's reason to exist: it holds privilege because it needs to act. Taken too far, the insight argues for stripping capability the system genuinely requires. The failure mode is de-privileging the intermediary until it can no longer perform its function, trading a security gap for a capability gap. Diagnostic: separate authority the intermediary uses on self-originated intent (keep) from authority reachable by outsider direction (gate); the liability is specifically the directable surface, and reducing privilege indiscriminately mistakes the directability for the privilege.
T5 — Single Hop versus Provenance Chain (Scalar). The triad models one outsider, one intermediary, one target — but real calls chain through several intermediaries, and provenance must survive every hop or it is dropped at the weakest link. The failure mode is securing the first hop's caller-aware check while a downstream intermediary re-introduces ambient authority, so intent is lost two calls later. Diagnostic: trace the originating intent across the entire chain, not just the boundary where the action fires; where any hop substitutes its own authority for the carried provenance, the chain has a confused deputy in the middle, and end-to-end capability-passing, not per-hop authentication, is what preserves the intersection.
T6 — Detecting Elision versus Ambient-Authority Blindness (Epistemic). The whole diagnosis depends on noticing that an action's intent originated externally — but ambient authority is precisely what makes the originator invisible in the record, so the elision is hardest to see exactly where it is most dangerous. The failure mode is a system whose logs say "the intermediary did this" for every action, leaving no trace to distinguish self-originated from borrowed intent, so the confused deputy is undetectable after the fact. Diagnostic: ask whether the audit record could even represent whose intent produced each act; where it cannot, the first fix is instrumenting intent provenance into the log, since you cannot remediate or even detect a union-composition failure the records were never designed to expose.
Structural–Framed Character¶
Confused Deputy sits on the framed side of the structural–framed spectrum, with an aggregate of 0.7. There is a sharp relational skeleton underneath — an authority-composition failure in which a privileged intermediary's authority is applied by union rather than intersection because intent provenance is dropped — and that skeleton genuinely reaches several substrates (information security, agency law, financial controls, clinical sign-off chains). But the prime carries a strong security-discipline frame, and the diagnostics that drive the grade reflect that.
Two criteria reach their maximum. Its vocab_travels score is 1.0, which here marks heavy framing rather than free travel: the term and its apparatus — "confused deputy," "intent provenance," "ambient authority," "capability-passing," "caller-aware authorisation" — are a specific security-discipline vocabulary that translates with effort into law or finance but carries its home lexicon along rather than being told value-free in each domain. Its institutional_origin is maximal (1.0): the prime originates with Hardy's 1988 information-security work, and its categories — access control, authority, authorisation chains — are products of institutions of computing security and, in the legal cases, of agency law.
Three criteria carry partial weight, holding the aggregate at 0.7. Its evaluative load is mixed (0.5): the failure is framed as a vulnerability to be fixed, an overtone that travels, though the bare union-versus-intersection composition is structurally describable. Its human_practice_bound score is partial (0.5) because, while many instances are human-institutional (treasurers, agents, clinicians), the cleanest cases — SSRF, CSRF — run in software with no human in the immediate loop, so the pattern is not purely practice-bound. And invoking it is part recognition, part import (0.5): one can recognise an authority-elision point as a present structural fact, but naming it tends to bring along the security-discipline frame and its intervention catalogue. The relational skeleton is real and is what lets the analysis carry from SSRF to apparent authority to wire fraud; but it is wrapped in a security-discipline vocabulary and institutional origin, which is exactly the framed character the 0.7 aggregate records.
Substrate Independence¶
Confused Deputy is a moderately substrate-independent prime — composite 3 / 5 on the substrate-independence scale. Its domain breadth is genuinely good: the loss of authority attribution when a privileged intermediary is tricked into wielding its authority on an attacker's behalf recurs in computer security (SSRF, CSRF, the classic compiler-billing case), agency law (an agent misled into binding a principal), financial fraud (an officer manipulated into authorising a transfer), and voice assistants (a device acting on a command it should not have honoured) — spanning CS, law, and clinical substrates, which is why breadth reaches a 4. Its transfer evidence is correspondingly concrete across these named instances. What holds the composite to the middle is structural abstraction: the signature presupposes a deputy holding delegated authority, a requester, and a confusion about whose authority is being exercised — a relational shape that, while it travels, carries an authority-and-delegation frame and skews toward engineered and institutional settings rather than physical or biological media. That moderate structural abstraction, against genuinely good breadth and transfer, is what fixes the composite at a 3 rather than higher.
- Composite substrate independence — 3 / 5
- Domain breadth — 4 / 5
- Structural abstraction — 3 / 5
- Transfer evidence — 4 / 5
Relationships to Other Primes¶
Parents (1) — more general patterns this builds on
-
Confused Deputy is a kind of Untrusted Input Execution
child of emergent untrusted_input_execution
Path to root: Confused Deputy → Untrusted Input Execution
Neighborhood in Abstraction Space¶
Confused Deputy sits in a sparse region of abstraction space (63rd percentile for distinctiveness): few abstractions share its structure, so a faithful description tends to retrieve it precisely rather than landing on a neighbor.
Family — Identity, Authority & Trust Binding (11 primes)
Nearest neighbors
- Authentication — 0.71
- Presupposition Smuggling — 0.71
- Supersession — 0.70
- Untrusted Input Execution — 0.70
- Abilene Paradox — 0.69
Computed from structural-signature embeddings · 2026-06-14
Not to Be Confused With¶
The nearest neighbour worth contrasting is authority_delegation_under_uncertainty, because both concern authority flowing through an intermediary, and the distinction is decisive. Authority delegation under uncertainty is about deliberately granting a subordinate some scope of authority when the principal cannot be sure of the subordinate's judgement or the environment — the design question is how much discretion to extend. The confused deputy is about authority being borrowed without anyone granting it: an outsider with no authority over a target addresses a privileged intermediary in a way that induces it to act on its own authority, and the system records the intermediary's valid authority while the originator's lack of authority is silently elided. The structural difference is intent provenance. In delegation, the principal intends the subordinate to wield the granted authority, and the chain of intent is explicit; in the confused deputy, the intent originates with an unauthorised outsider and the chain is dropped at the intermediary, so the action's effective authority computes as the union (intermediary's ambient authority applied to the outsider's intent) rather than the intersection (only what both were entitled to). A designer who reads a confused-deputy vulnerability as a delegation problem will try to tune how much discretion the intermediary holds — exactly the wrong lever, since the intermediary is supposed to hold that authority for its own legitimate actions; the fix is to carry the originator's authority forward so the empty intersection is enforced, not to reduce the intermediary's grant.
The confused deputy is also distinct from consent, with which it is confused because both seem to ask "was this authorised?" Consent is a party's authorisation for an action that affects them; a consent failure is the absence or defect of that authorisation. The confused deputy is structurally different: the intermediary's authorisation to act on the target is perfectly valid and undisputed — the failure is not a missing consent but a mis-attributed intent. The treasurer genuinely may move money; the notary's authority is real; the server's internal access is legitimate. What is wrong is whose wish the validly-authorised actor is executing. Reading the failure as a consent problem leads to verifying that the intermediary was entitled to act (it was) and concluding all is well, while the outsider's borrowed intent sails through. The discriminating question is not "was the actor authorised?" (yes) but "whose intent produced the act?" (an outsider's), which consent reasoning does not surface.
A third confusion is with trust. Trust is a relational expectation that another party will behave as hoped; one might think the confused deputy is a misplaced-trust problem — trusting the wrong party. But the vulnerability arises even with fully trustworthy parties: the intermediary is trustworthy and behaves exactly as designed, faithfully acting on requests addressed to it; the outsider merely exploits the structural fact that the intermediary's authority composes by union rather than intersection. The failure is in the authority-composition architecture, not in any party's trustworthiness or in a trust relationship gone wrong. A practitioner who frames it as a trust problem looks for an untrustworthy actor to distrust, when every actor is behaving correctly and the defect is the silent fusion of identity-of-actor with provenance-of-intent.
For practitioners these distinctions route the fix. Read the confused deputy as a delegation problem and you tune discretion the intermediary legitimately needs. Read it as a consent problem and you confirm an authorisation that was never in question. Read it as a trust problem and you hunt for a bad actor among well-behaved parties. Naming the confused deputy correctly directs attention to the one defect that matters — authority composing as union instead of intersection because intent provenance was dropped — and to its fixes (capability-passing, caller-aware authorisation, out-of-band confirmation) rather than to stronger authentication, which the neighbouring frames each obscure.
Solution Archetypes¶
No catalogued solution archetypes reference this prime yet.