πŸ” CVE Alert

CVE-2026-31381

MEDIUM 5.3

Gainsight Assist plugin information disclosure

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
1th

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

CWE CWE-598
Vendor gainsight
Product gainsight assist
Published Mar 20, 2026
Last Updated Mar 23, 2026
Stay Ahead of the Next One

Get instant alerts for gainsight gainsight assist

Be the first to know when new medium vulnerabilities affecting gainsight gainsight assist are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Affected Versions

Gainsight / Gainsight Assist
All versions affected

References

NVD β†— CVE.org β†— EPSS Data β†—
rapid7.com: http://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed communities.gainsight.com: https://communities.gainsight.com/community-news-2/recent-gainsight-assist-plugin-remediations-cve-2026-31381-and-cve-2026-31382-30587

Credits

Christopher O’Boyle, Cybersecurity Advisor at Rapid7