CVE-2026-31381 is a vulnerability identified in Gainsight Assist, a customer success platform tool, where sensitive user information—specifically email addresses—is exposed in the OAuth callback URL via the state parameter. The email addresses are base64 encoded but not encrypted, making it trivial for an attacker to decode and extract this personally identifiable information (PII). The root cause is the use of the HTTP GET method to transmit sensitive data in query strings, which is flagged under CWE-598. GET requests append parameters to URLs, which can be logged in browser history, server logs, proxy logs, and potentially intercepted in transit if HTTPS is not enforced. The vulnerability does not require authentication or user interaction, and the attack vector is network-based, meaning an attacker can intercept or observe the OAuth callback URL to harvest exposed emails. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the limited impact on confidentiality without affecting integrity or availability. No patches or fixes are currently published, and no exploits have been reported in the wild. However, the exposure of PII can lead to privacy violations, targeted phishing, or social engineering attacks. This vulnerability highlights the importance of avoiding sensitive data transmission in URLs and using POST methods or encrypted tokens instead.

The primary impact of this vulnerability is the exposure of user email addresses, which compromises confidentiality. Organizations using Gainsight Assist risk leaking PII, potentially violating privacy regulations such as GDPR or CCPA. Attackers who obtain these email addresses could launch targeted phishing campaigns or social engineering attacks against users, increasing the risk of credential theft or further compromise. While the vulnerability does not affect system integrity or availability, the reputational damage and regulatory penalties from PII exposure can be significant. Since the vulnerability requires no authentication or user interaction, it can be exploited by passive network attackers or malicious insiders with access to network traffic or logs. The scope is limited to environments where Gainsight Assist is deployed and OAuth callbacks are observable. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

Organizations should immediately review their use of Gainsight Assist and monitor for vendor updates or patches addressing this vulnerability. As a best practice, avoid transmitting sensitive data such as email addresses in URL query parameters, especially in GET requests. Instead, use POST methods or encrypted tokens to carry sensitive information during OAuth flows. Implement strict HTTPS enforcement to protect OAuth callback URLs from interception. Review and limit logging of URLs containing sensitive parameters to reduce exposure in logs. If possible, customize or configure Gainsight Assist to avoid including PII in the state parameter or encode it securely using encryption rather than base64 encoding. Conduct security assessments of OAuth implementations to ensure sensitive data is handled securely. Educate developers and administrators about the risks of CWE-598 and secure coding practices for OAuth and web applications. Finally, monitor network traffic for suspicious access patterns that may indicate attempts to exploit this vulnerability.