## Major AI Clients Including Claude, Cursor, Amazon Q Ship With Broken OAuth Implementations A systematic security failure is spreading across the AI client ecosystem. The majority of widely deployed AI tools—including Claude Code, Claude Desktop, Cursor, LibreChat, and Amazon Q CLI—are shipping without proper OAuth refresh-token flow implementations, forcing developers to fall back to long-lived access tokens and reintroducing a security vulnerability that the industry solved years ago. The breakdown affects at least 14 major AI clients, according to a newly published reference matrix documenting the gap. Without refresh-token support, developers integrating these tools into enterprise workflows face a stark choice: issue tokens with extended lifespans or force users through frequent re-authentication cycles. Both options degrade security posture. Long-lived tokens expand the attack window if credentials are leaked, while the friction of repeated authentication pushes teams toward insecure workarounds. The documentation links to open feature requests, pull requests, and forum discussions showing that the issue has been flagged across multiple projects—yet fixes remain pending across the board. The implications are particularly acute for organizations adopting AI coding assistants and chat interfaces at scale. These tools often require access to sensitive codebases, internal documentation, and enterprise APIs. A compromised long-lived token could provide persistent access to corporate infrastructure without the automatic expiration safeguards that refresh-token flows are designed to enforce. Security-conscious users have identified stop-gap workarounds, and a best-practices guide is now available for developers building their own MCP OAuth solutions. The reference is set to be updated monthly to track whether vendors respond to the growing pressure for proper OAuth compliance. --- - **Source**: r/netsec - **Sector**: The Lab - **Tags**: OAuth, AI clients, security vulnerability, refresh tokens, MCP - **Credibility**: unverified - **Published**: 2026-05-09 04:31:40 - **ID**: 80979 - **URL**: https://whisperx.ai/en/intel/80979