CWE-441 102 个 CVE MITRE 定义 ↗

CWE-441:Unintended Proxy or Intermediary ('Confused Deputy')

概览

CWE-441(Unintended Proxy or Intermediary ('Confused Deputy'))描述一种在漏洞数据库与安全评估中使用的弱点类型;定义、背景与映射 CVE 见下方各节。

安全影响
安全影响:因产品与场景而异;请结合 CVE 记录、严重度评分与 MITRE 说明进行优先级判断。

描述

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

适用平台

类型 名称 普遍性 OS / CPE
language Not Language-Specific Undetermined
operating_system Not OS-Specific Undetermined
architecture Not Architecture-Specific Undetermined
technology Not Technology-Specific Undetermined

本库相关 CVE

下列 CVE 在本库中映射到该弱点,并保留以便追溯与检索。

CVE 公开时间 摘要
CVE-2026-53514 2026-07-15 Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVeri…
CVE-2026-53513 2026-07-15 Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-con…
CVE-2026-15183 2026-07-14 Multiple input validation vulnerabilities in the Snowflake Spark Connector (spark-snowflake) versions prior to 3.2.1 can allow attackers to exfiltrate OAuth client credentials, execute arbitrary SQL w…
CVE-2026-56675 2026-07-10 9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic…
CVE-2026-12879 2026-07-09 An Improper Input Validation vulnerability in BigQuery DAO in Google Cloud Apigee versions prior to 2026-06-12 on Google Cloud Platform allows an authenticated attacker to exfiltrate cross-tenant data…
CVE-2026-55430 2026-07-07 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpa…
CVE-2026-49086 2026-07-06 Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fiel…
CVE-2026-46592 2026-07-06 Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel CXF SOAP component. The camel-cxf producer selects which SOAP operation to invoke on the …
CVE-2026-53931 2026-06-23 NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable u…
CVE-2026-50169 2026-06-22 Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the …
CVE-2026-9595 2026-06-15 Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This le…
CVE-2026-44494 2026-06-11 Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype…
CVE-2026-49821 2026-06-10 Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller p…
CVE-2026-36608 2026-06-03 Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localh…
CVE-2026-0098 2026-06-01 In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional exe…
CVE-2025-48570 2026-06-01 In multiple functions of PipTaskOrganizer.java, there is a possible way to launch an activity from the background due to a confused deputy. This could lead to local escalation of privilege with no add…
CVE-2026-48522 2026-05-28 PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector register…
CVE-2026-3160 2026-05-14 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira…
CVE-2026-45003 2026-05-11 OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime …
CVE-2026-44992 2026-05-11 OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax …

曾用名

  • Unintended Proxy/Intermediary (2013-02-21)

内容提交

名称
PLOVER
日期
2006-07-19
版本
Draft 3

内容修订

日期 名称 版本 重要性 评论
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2008-11-24 CWE Content Team 1.1 updated Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
2010-02-16 CWE Content Team 1.8 updated Taxonomy_Mappings
2010-04-05 CWE Content Team 1.8.1 updated Related_Attack_Patterns
2010-06-21 CWE Content Team 1.9 updated Other_Notes
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2011-06-27 CWE Content Team 2.0 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Related_Attack_Patterns, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2013-02-21 CWE Content Team 2.4 updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, References, Relationship_Notes, Relationships, Theoretical_Notes, Type
2014-07-30 CWE Content Team 2.8 updated Relationships
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Modes_of_Introduction, Relationships
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-08-14 CWE Content Team 4.3 Per Intel Corporation suggestion, added language to be inclusive to hardware: updated Demonstrative_Examples, Description, Extended_Description, Applicable_Platforms, Potential_Mitigation, Common_Consequences, References
2020-08-20 CWE Content Team 4.2 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-10-13 CWE Content Team 4.9 updated Related_Attack_Patterns
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Alternate_Terms, Relationships, Weakness_Ordinalities

贡献

类型 名称 日期 评论
Content Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna 2020-08-14 Provided demonstrative example
cvelogic Threat Intelligence