Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.
AnalysisAI
Gainsight Assist contains an information disclosure vulnerability where user email addresses (PII) are exposed in base64-encoded format within the OAuth callback URL's state parameter. This affects all versions of Gainsight Assist and allows unauthenticated remote attackers to extract sensitive personal information with no user interaction required. The vulnerability has a CVSS score of 5.3 (moderate) with confirmed disclosure via Rapid7, and patch availability has been documented in vendor advisories.
Technical ContextAI
The vulnerability stems from improper handling of OAuth state parameters, which are defined in CWE-598 (Use of GET Request with Sensitive Query Strings) and represents a broader information disclosure class. OAuth state parameters are intended to maintain session state and prevent CSRF attacks during the authorization flow; however, Gainsight Assist encodes user email addresses (PII) in base64 format directly into this parameter and passes it through the callback URL. Base64 encoding is trivially reversible and not cryptographic protection, making the state parameter visible in browser history, HTTP logs, referrer headers, and URL-sharing scenarios. The affected product is Gainsight Assist (CPE: cpe:2.3:a:gainsight:gainsight_assist:*:*:*:*:*:*:*:*), indicating all versions are potentially vulnerable. The root cause is the combination of encoding PII in URL-transmitted parameters without encryption and failing to apply secure OAuth practices that mandate state parameter opaqueness.
RemediationAI
Apply the security patch provided by Gainsight as documented in the Rapid7 advisory (http://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed); contact Gainsight support for the specific patched version and deployment timeline if it has not yet been released. As an interim mitigation, disable OAuth integrations in Gainsight Assist if operationally feasible, or restrict access to Gainsight Assist to trusted IP ranges via network controls to limit attacker access to OAuth callback URLs. Additionally, audit HTTP logs, proxy logs, and browser history on client systems for any base64-encoded state parameters already captured and decode them to identify if email addresses have been exposed; report any findings to affected users per breach notification requirements. Implement HTTPS enforcement with HSTS headers and secure cookie flags to reduce the visibility of callback URLs in transit, though this is a defense-in-depth measure and does not replace the patch.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13684