ClassDraft
CWE-441Unintended Proxy or Intermediary ('Confused Deputy')
Category: other
Description
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Common consequences· 1
- Non-Repudiation / Access Control — Gain Privileges or Assume Identity, Hide Activities, Execute Unauthorized Code or Commands
Potential mitigations· 2
- [Architecture and Design]Enforce the use of strong mutual authentication mechanism between the two parties.
- [Architecture and Design]Whenever a product is an intermediary or proxy for transactions between two other components, the proxy core should not drop the identity of the initiator of the transaction. The immutability of the identity of the initiator must be maintained and should be forwarded all the way to the target.
Related CAPEC attack patterns· 2
References
Exploits (incoming)2
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | XML Routing Detour Attackscapec-219 | 100% | live |
| AttackPattern | Transparent Proxy Abusecapec-465 | 100% | live |
Compliance frameworks addressing this (incoming)1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| ComplianceControl | owasp_api_top10-api07 | 100% | live |
(incoming)18
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Vulnerability | CVE-2025-11393cve-2025-11393 | 0% | live |
| Vulnerability | CVE-2025-25306cve-2025-25306 | 0% | live |
| Vulnerability | CVE-2025-47269cve-2025-47269 | 0% | live |
| Vulnerability | CVE-2025-48579cve-2025-48579 | 0% | live |
| Vulnerability | CVE-2025-62718cve-2025-62718 | 0% | live |
| Vulnerability | CVE-2025-64123cve-2025-64123 | 0% | live |
| Vulnerability | CVE-2026-0008cve-2026-0008 | 0% | live |
| Vulnerability | CVE-2026-0013cve-2026-0013 | 0% | live |
| Vulnerability | CVE-2026-0021cve-2026-0021 | 0% | live |
| Vulnerability | CVE-2026-0107cve-2026-0107 | 0% | live |
| Vulnerability | CVE-2026-23751cve-2026-23751 | 0% | live |
| Vulnerability | CVE-2026-24470cve-2026-24470 | 0% | live |
| Vulnerability | CVE-2026-33768cve-2026-33768 | 0% | live |
| Vulnerability | CVE-2026-39906cve-2026-39906 | 0% | live |
| Vulnerability | CVE-2026-42043cve-2026-42043 | 0% | live |
| Vulnerability | CVE-2026-42313cve-2026-42313 | 0% | live |
| Vulnerability | CVE-2026-7381cve-2026-7381 | 0% | live |
| KEVEntry | ZK Framework AuUploader Unspecified Vulnerabilitykev-cve-2022-36537 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.