One Overprivileged OAuth Grant Bridged Two Companies in Context.ai-Vercel Breach

A Vercel employee granted "Allow All" OAuth permissions to Context.ai during a consumer app integration. Attackers exploited the tokens to access the employee's Google Workspace account, then pivoted into Vercel's internal systems and exfiltrated customer credentials. The incident exposes how excessive permission scoping in federated identity can create unintended trust bridges across organizational boundaries. **Worth flagging:** OAuth's design enables seamless integration but also widens cross-tenant attack surfaces when permissions lack granularity.