{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31381", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2026-03-09T09:05:14.105Z", "datePublished": "2026-03-20T13:02:07.185Z", "dateUpdated": "2026-03-23T10:21:31.048Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-03-23T10:21:31.048Z"}, "title": "Gainsight Assist plugin information disclosure", "datePublic": "2026-03-20T13:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-598", "description": "CWE-598 Use of GET request method with sensitive query strings", "type": "CWE"}]}], "affected": [{"vendor": "Gainsight", "product": "Gainsight Assist", "versions": [{"status": "unknown", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL."}]}], "references": [{"url": "http://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed", "tags": ["third-party-advisory"]}, {"url": "https://communities.gainsight.com/community-news-2/recent-gainsight-assist-plugin-remediations-cve-2026-31381-and-cve-2026-31382-30587", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Christopher O\u2019Boyle, Cybersecurity Advisor at Rapid7", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:43:11.518701Z", "id": "CVE-2026-31381", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:43:16.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31381", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T13:43:11.518701Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:43:13.631Z"}}], "cna": {"title": "Gainsight Assist plugin information disclosure", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Christopher O\u2019Boyle, Cybersecurity Advisor at Rapid7"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gainsight", "product": "Gainsight Assist", "versions": [{"status": "unknown", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-20T13:00:00.000Z", "references": [{"url": "http://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed", "tags": ["third-party-advisory"]}, {"url": "https://communities.gainsight.com/community-news-2/recent-gainsight-assist-plugin-remediations-cve-2026-31381-and-cve-2026-31382-30587", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.", "supportingMedia": [{"type": "text/html", "value": "An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-598", "description": "CWE-598 Use of GET request method with sensitive query strings"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-03-23T10:21:31.048Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31381", "state": "PUBLISHED", "dateUpdated": "2026-03-23T10:21:31.048Z", "dateReserved": "2026-03-09T09:05:14.105Z", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "datePublished": "2026-03-20T13:02:07.185Z", "assignerShortName": "rapid7"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gainsight:assist:-:*:*:*:*:*:*:*", "matchCriteriaId": "CEF026DD-1AD7-44D0-8960-A5DDAE4F1BDE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL."}, {"lang": "es", "value": "Un atacante puede extraer direcciones de correo electr\u00f3nico de usuario (IIP) expuestas en codificaci\u00f3n base64 a trav\u00e9s del par\u00e1metro state en la URL de devoluci\u00f3n de llamada de OAuth."}], "id": "CVE-2026-31381", "lastModified": "2026-04-16T15:16:53.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2026-03-20T14:16:14.567", "references": [{"source": "cve@rapid7.com", "tags": ["Third Party Advisory"], "url": "http://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed"}, {"source": "cve@rapid7.com", "tags": ["Vendor Advisory"], "url": "https://communities.gainsight.com/community-news-2/recent-gainsight-assist-plugin-remediations-cve-2026-31381-and-cve-2026-31382-30587"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-598"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Gainsight Assist", "source": "cna", "vendor": "Gainsight"}, "product": "gainsight_assist", "vendor": "gainsight"}], "analysis": {"en": {"generated_at": "2026-04-17T11:29:19.912355+00:00", "value": {"mitigation_remediation": ["Apply the latest Gainsight Assist patch once it becomes available to eliminate the information disclosure flaw.", "Configure the plugin to validate the state parameter and ensure it does not carry PII, or encode sensitive data securely to prevent base64 exposure.", "Monitor OAuth callback logs and user account activity for anomalous state parameter values that could indicate exploitation attempts."], "summary": {"action": "Patch", "impact": "Information disclosure"}, "threat_synthesis": {"affected_systems": "Affected systems are instances of the Gainsight Assist plugin from Gainsight. No specific version ranges are provided in the data, so all installations that include this plugin may be affected unless an update has already been applied.", "description_and_impact": "The vulnerability allows an attacker to extract user email addresses that are exposed in base64 encoding via the state parameter present in the OAuth callback URL. This leads to exposure of personally identifiable information and is categorized as CWE\u2011598, representing improper handling of input that reveals confidential data, and includes an NVD-CWE-noinfo entry indicating no further classification.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. The likely attack vector involves an attacker manipulating the OAuth callback URL to include a crafted state parameter; the victim must use the OAuth flow for the exposure to occur. No evidence of an existing exploit is reported in the provided references."}}}}, "created": "2026-03-20T16:27:16.322806+00:00", "updated": "2026-04-17T11:30:16.997795+00:00", "vendors": ["gainsight", "gainsight$PRODUCT$gainsight_assist"]}