arXiv — Capability Gates Are Not Authorization: Confused-Deputy Failures in LLM Agent Frameworks
AI relevance: When LLM agents read untrusted content while holding side-effecting tools (payments, email, CRM, infrastructure APIs), the framework must re-authorize each model-emitted call with concrete argument values — not just expose the tool. This research shows the big three frameworks fail that test by default.
What the paper covers
- Researchers audited LangChain/LangGraph, LlamaIndex, and the Stripe Agent Toolkit at pinned public commits to check whether they re-authorize each model-emitted tool call with concrete argument values before execution
- Key finding: all three ship capability gating by default (which tools are exposed), but none ships deterministic fail-closed per-call authorization (whether this specific call with these argument values is allowed)
- This is the classic confused-deputy pattern: a privileged component is induced by attacker-controlled input to misuse its authority
- The paper introduces ScopeGate, a five-stage Policy Decision Point and Policy Enforcement Point (PDP/PEP) for agent tool calls: scope, authorization, money ceiling, idempotency, and default deny
- Evaluation results: the identical unauthorized payout call executes under LangChain's default dispatch (with a companion LlamaIndex PoC), but is denied by ScopeGate
- ScopeGate reported 0/48 static bypasses, 0/29 unauthorized attempts (40-iteration adaptive run), 0/10 benign false-denies, and 10/10 containment on Latam-GPT payment-agent
- Cost-optimized deployment-tier models attempt unauthorized calls approximately 3.2× more often than flagship models in the measured sweep
- The paper does not assert a CVE — this is an architectural gap in framework defaults, not a specific vulnerability
- Prior work like MiniScope, AgentDojo, InjecAgent, ToolEmu, and WASP covers adjacent ground, but this is the first reproducible cross-framework audit of this exact default gap tied to a measured threat and deployable control
Why it matters
This research crystallizes a problem the AI security community has been circling: capability gating (which tools can the agent see?) is necessary but insufficient. The real authorization question is whether this specific call with these argument values in this principal and session context is allowed. If a runtime exposes issue_refund and then accepts the model's well-typed amount, destination, or payment_intent as sufficient authority, it has delegated the authorization decision to an untrusted parser. That is the confused-deputy pattern, and it is the default in the most widely deployed agent frameworks.
What to do
- If you are building agents with LangChain, LlamaIndex, or similar frameworks, implement per-call authorization that validates concrete argument values against out-of-band policy before execution
- Read the ScopeGate design — the five-stage PDP/PEP pattern (scope, authorization, money ceiling, idempotency, default deny) is a deployable reference architecture
- Treat model-emitted tool calls as untrusted input, not as authorization decisions
- Consider the deployment tier: cost-optimized models show materially higher unauthorized action rates in this study
- Test your agent's tool dispatch with adversarial argument values, not just happy-path scenarios