Context.ai OAuth Token Compromise

2026-04-20 · Source: wiz.io - Www.wiz.io · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Cloud Computing & IT Infrastructure · Depth: Advanced, medium

Summary

On April 19th, 2026, Vercel disclosed a security incident involving unauthorized access to its internal systems, stemming from a compromised employee Google Workspace account. The breach occurred via Context.ai, a third-party AI tool whose consumer-focused AI Office Suite environment was also compromised. This represents a double supply chain attack, affecting Context.ai, then Vercel, and potentially Vercel's customers. Technical details reveal that OAuth tokens for some Context.ai consumer users were likely compromised, with at least one Vercel employee having granted "Allow All" permissions to the affected OAuth application. This enabled attackers to use the stolen token to access Vercel's Google Workspace. The incident aligns with a broader trend of attacks exploiting trusted third-party OAuth integrations for initial access, relying on pre-authorized access and delegated permissions for stealthy lateral movement, rather than exploiting platform vulnerabilities. A specific OAuth App client ID, 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com, has been identified as compromised.

Key takeaway

For Security Engineers managing SaaS integrations, this incident underscores the critical need to audit third-party OAuth application permissions. You should immediately identify and revoke access for the compromised Context.ai application (client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com) across your identity providers. Furthermore, assess and rotate credentials for all affected users and investigate account activity for any signs of misuse. Proactively enforce least privilege for all OAuth grants to minimize future blast radius.

Key insights

Third-party OAuth integrations present a significant supply chain attack vector, enabling broad access via delegated permissions.

Principles

• OAuth tokens with broad permissions are high-value targets for attackers.
• Supply chain attacks can cascade through trusted third-party services.
• Pre-authorized access enables stealthy lateral movement across enterprise environments.

Method

Identify and revoke access to compromised OAuth applications, assess exposure by rotating credentials, and investigate account activity for misuse across identity providers like Google Workspace, Azure/Entra ID, and Okta.

In practice

• Search for OAuth Client ID "110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com" in your environment.
• Review authorization events for broad "Allow All" permissions granted to third-party apps.
• For Vercel customers, prioritize rotating non-sensitive environment variables and enforce "sensitive" marking for all secrets.

Topics

• OAuth Security
• Supply Chain Attacks
• Identity Providers
• Incident Response
• Google Workspace Security
• Credential Compromise

Best for: AI Security Engineer, Security Engineer, IT Professional

Related on AIssential

• Vercel Got Powned By An OAuth App. Again… Here Is What Happened and What You Should Do — Third-party OAuth integrations pose significant supply chain risks to organizational security.
• Your GitHub Token Is Now Worth More Than Your AWS Key — AI developers' credentials are now the primary target in supply chain attacks, shifting security focus from models to development environments.
• The authorization problem that could break enterprise AI — Alex Stamos of Corridor and Nancy Wang of 1Password highlight the critical authorization and identity challenges posed by agentic AI in enterprise environments, where agents require access to sensitiv…
• Introducing Trusted Access for Cyber — OpenAI's Trusted Access for Cyber provides controlled access to advanced AI models for defensive cybersecurity.
• “Vercel Hack Exposed: How a Simple AI Tool Led to a $2M Data Breach” — The Vercel breach demonstrates how compromised third-party OAuth tokens can enable long-term, deep supply chain attacks.
• RSA recap, the LiteLLM breach, and the quest to fix AI agent security — Securing agentic AI requires isolating workflows and dynamic identity management, as traditional IAM fails against non-deterministic threats.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by wiz.io - Www.wiz.io.