What is Confused deputy attack?

A confused deputy is a program that holds authority and can be manipulated into wielding it for someone who lacks that authority. The classic case is a compiler with write access to a system directory that a user tricks into overwriting a protected file. In the OAuth and MCP world the deputy is an MCP server or gateway that holds, or can obtain, access tokens. Without explicit audience binding, a client could obtain a token scoped for a low-privilege resource and replay it against a higher-privilege one, or an MCP server could pass an inbound user token straight to an upstream API that happens to honor it, granting access the user never intended. The MCP authorization spec mitigates this two ways: it requires Resource Indicators (RFC 8707) so every token names the exact server it is for, and it forbids servers from forwarding inbound tokens upstream, requiring a separate token exchange instead. Understanding the confused deputy pattern is essential when chaining agents across multiple servers, because each hop is a potential deputy that can be confused into leaking or escalating access.