Skip to main content

Gainsight Assist CVE-2026-31381

| EUVDEUVD-2026-13684 MEDIUM
Use of GET Request Method With Sensitive Query Strings (CWE-598)
2026-03-20 rapid7
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 13:45 euvd
EUVD-2026-13684
Analysis Generated
Mar 20, 2026 - 13:45 vuln.today
CVE Published
Mar 20, 2026 - 13:02 nvd
MEDIUM 5.3

DescriptionCVE.org

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

AnalysisAI

Gainsight Assist contains an information disclosure vulnerability where user email addresses (PII) are exposed in base64-encoded format within the OAuth callback URL's state parameter. This affects all versions of Gainsight Assist and allows unauthenticated remote attackers to extract sensitive personal information with no user interaction required. The vulnerability has a CVSS score of 5.3 (moderate) with confirmed disclosure via Rapid7, and patch availability has been documented in vendor advisories.

Technical ContextAI

The vulnerability stems from improper handling of OAuth state parameters, which are defined in CWE-598 (Use of GET Request with Sensitive Query Strings) and represents a broader information disclosure class. OAuth state parameters are intended to maintain session state and prevent CSRF attacks during the authorization flow; however, Gainsight Assist encodes user email addresses (PII) in base64 format directly into this parameter and passes it through the callback URL. Base64 encoding is trivially reversible and not cryptographic protection, making the state parameter visible in browser history, HTTP logs, referrer headers, and URL-sharing scenarios. The affected product is Gainsight Assist (CPE: cpe:2.3:a:gainsight:gainsight_assist:*:*:*:*:*:*:*:*), indicating all versions are potentially vulnerable. The root cause is the combination of encoding PII in URL-transmitted parameters without encryption and failing to apply secure OAuth practices that mandate state parameter opaqueness.

RemediationAI

Apply the security patch provided by Gainsight as documented in the Rapid7 advisory (http://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed); contact Gainsight support for the specific patched version and deployment timeline if it has not yet been released. As an interim mitigation, disable OAuth integrations in Gainsight Assist if operationally feasible, or restrict access to Gainsight Assist to trusted IP ranges via network controls to limit attacker access to OAuth callback URLs. Additionally, audit HTTP logs, proxy logs, and browser history on client systems for any base64-encoded state parameters already captured and decode them to identify if email addresses have been exposed; report any findings to affected users per breach notification requirements. Implement HTTPS enforcement with HSTS headers and secure cookie flags to reduce the visibility of callback URLs in transit, though this is a defense-in-depth measure and does not replace the patch.

Share

CVE-2026-31381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy