CWE•Class•Draft•20 recent CVEs
CWE-441Unintended Proxy or Intermediary ('Confused Deputy')
Description
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
[object Object]
Common consequences
- Non-Repudiation,Access Control→Gain Privileges or Assume Identity,Hide Activities,Execute Unauthorized Code or Commands
Potential mitigations
- Architecture and DesignEnforce the use of strong mutual authentication mechanism between the two parties.
- Architecture and DesignWhenever a product is an intermediary or proxy for transactions between two other components, the proxy core should not drop the identity of the initiator of the transaction. The immutability of the identity of the initiator must be maintained and should be forwarded all the way to the target.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-366088.82026-06-03CVE-2026-00987.82026-06-01CVE-2025-485707.82026-06-01CVE-2026-485224.22026-05-28CVE-2026-31605.82026-05-14CVE-2026-450035.02026-05-11CVE-2026-449925.02026-05-11CVE-2026-423138.32026-05-11CVE-2026-451822.22026-05-09CVE-2026-73819.12026-04-29CVE-2026-413655.42026-04-28CVE-2026-69935.32026-04-25CVE-2026-420437.22026-04-24CVE-2026-237519.82026-04-23CVE-2026-3990610.02026-04-14CVE-2026-399616.82026-04-09CVE-2025-627189.92026-04-09CVE-2026-271242026-04-03CVE-2021-257403.12021-09-20CVE-2020-85614.12021-09-20