CVE-2026-31381 PUBLISHED

Gainsight Assist plugin information disclosure

Assigner: rapid7
Reserved: 09.03.2026 Published: 20.03.2026 Updated: 20.03.2026

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Product Status

Vendor Gainsight
Product Gainsight Assist
Versions Default: unaffected
  • Version 0 is unknown

Credits

  • Christopher O’Boyle, Cybersecurity Advisor at Rapid7 finder

References

Problem Types

  • CWE-598 Use of GET request method with sensitive query strings CWE