Description
A lower-trust agent induces a higher-trust peer to recursively delegate execution until the original request is carried under a more privileged identity than intended by policy. The exploit emerges when delegation history is not preserved as a hard authorization constraint across handoffs, allowing each hop to reinterpret provenance and scope independently.
Framework Mappings
Framework
Technique ID
Name
Relationship
MITRE ATLAS
AML.T0051
Prompt injection
Precondition / enabling step
MITRE ATT&CK
T1078
Valid accounts
Analogous identity misuse
OWASP LLM
LLM01
Prompt injection
Primary overlap
MITRE ATLAS
AML.T0017
Exfiltration via agent channel
Common follow-on effect
Attack Flow
Attacker
Agent
PHASE 1 — DELEGATION SETUP
crafted task request with nested escalation cues
delegation accepted without provenance lock
PHASE 2 — PRIVILEGE AMPLIFICATION
privileged action executed under downstream trust context
Indicators
IND-0021
A2A
delegation.chain_depth
Depth increases without a corresponding scope-reduction marker.
▸
IND-0022
MCP
session.auth_origin
Origin identity changes while capability set expands across the same task lineage.
▸
IND-0023
A2A
handoff.provenance
Missing immutable provenance envelope on cross-agent request transfer.
▸
YAML
scenario.yaml
15 of 31 lines
id : OATF-002
name : Delegation loop causes privilege amplification
status : stable
severity : critical
protocols :
- a2a
- mcp
interaction_model : agent-to-agent
classification : privilege-amplification
description : >
Recursive delegation causes a request to cross trust boundaries
without carrying immutable provenance and authorization constraints.
indicators :
- id : IND-0021
surface : delegation.chain_depth
protocol : a2a
Download .yaml
Open in Builder