Critical Fixes for Gainsight Assist: Addressing CVE-2026-31381 & CVE-2026-31382

Introduction

Recent research by Rapid7 Labs has uncovered a security chain affecting the Gainsight Assist plugin and its interaction with the app.gainsight.com domain. For security teams, the primary concern is the combination of an Information Disclosure vulnerability (CVE-2026-31381) and a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2026-31382).

While individual plugin vulnerabilities are common, the ability to chain them allows an attacker to pivot from passive information gathering to active client-side exploitation. This creates a tangible risk for organizations using Gainsight to manage customer data, as attackers could potentially hijack sessions or steal sensitive tokens via browser-based attacks. Prompt patching is essential to close this attack vector.

Technical Analysis

The vulnerabilities identified impact the Gainsight Assist ecosystem, specifically the Chrome and Outlook plugins used to synchronize email templates and data.

• CVE-2026-31381 (Information Disclosure): This flaw resides within the Gainsight Assist plugin. It allows attackers to passively gather sensitive information, potentially laying the groundwork for a more sophisticated attack.
• CVE-2026-31382 (Reflected XSS): This vulnerability exists on the server-side of app.gainsight.com. Reflected XSS occurs when malicious scripts are reflected off a web application to the victim’s browser.

The Attack Chain: The danger here lies in the combination. An attacker could first leverage the Information Disclosure flaw to understand the environment or session structure, and then utilize the XSS flaw to execute arbitrary code in the victim's browser context.

Remediation Timeline:

• March 6, 2026: Gainsight deployed a server-side code-level fix to remediate the XSS vulnerability (CVE-2026-31382).
• March 9, 2026: Patched updates for the Chrome and Outlook plugins were released to address the Information Disclosure vulnerability (CVE-2026-31381).

Defensive Monitoring

To verify whether your environment remains exposed to CVE-2026-31381, security teams must ensure the outdated plugins are removed or updated. Below are defensive scripts to assist in asset discovery and patch verification.

PowerShell: Check for Gainsight Assist Chrome Extension

This script scans standard Chrome profile locations for the Gainsight Assist extension manifest to identify installed versions.

# Check for Gainsight Assist Extension
$ChromePaths = @("$env:LOCALAPPDATA\Google\Chrome\User Data", "$env:APPDATA\Google\Chrome\User Data")
$TargetExtension = "Gainsight Assist" # Adjust based on actual folder name/ID in manifest

Write-Host "Scanning for Gainsight Assist Chrome Extension..." -ForegroundColor Cyan

foreach ($Path in $ChromePaths) {
    if (Test-Path $Path) {
        $Profiles = Get-ChildItem $Path -Directory | Where-Object { $_.Name -match "Default|Profile" }
        foreach ($Profile in $Profiles) {
            $ExtPath = Join-Path $Profile.FullName "Extensions"
            if (Test-Path $ExtPath) {
                # Search for manifest files containing Gainsight
                Get-ChildItem $ExtPath -Recurse -Filter "manifest." | ForEach-Object {
                    $Content = Get-Content $_.FullName -Raw | ConvertFrom-Json
                    if ($Content.name -like "*Gainsight*" -or $Content.name -like "*Assist*") {
                        Write-Host "Found Extension:" $_.Directory.Name -ForegroundColor Yellow
                        Write-Host "Version:" $Content.version
                        Write-Host "Path:" $_.FullName
                    }
                }
            }
        }
    }
}

KQL (Microsoft Sentinel/Defender): Hunt for Plugin Installation Activity

This query helps identify device events related to the installation or modification of the Gainsight Assist plugin files, aiding in asset inventory.

DeviceFileEvents
| where FolderPath endswith @"\Gainsight Assist\manifest." or FolderPath contains @"\Extensions\" and FileName == "manifest."
| extend Version = extract_all(@"""version""\s*:\s*""([0-9.]+)""", typeof(string), RawContent)[0]
| project Timestamp, DeviceName, ActionType, FolderPath, Version
| order by Timestamp desc

Remediation

Security Arsenal recommends the following immediate actions to mitigate these risks:

1. Update Plugins Immediately: Ensure all users update the Gainsight Assist plugin for Chrome and Outlook to the version released on or after March 9, 2026. Force a redeployment if your organization manages extensions via Group Policy or MDM.
2. Verify Server-Side Fix: While Gainsight applied the server-side fix for CVE-2026-31382 on March 6, 2026, ensure your corporate proxies or firewalls are not blocking access to the patched app.gainsight.com endpoints, which could prevent clients from receiving the fix.
3. Audit User Permissions: Review which users have the Gainsight Assist plugin installed. Ensure access is restricted to only those personnel who require it for business operations.
4. User Awareness: Brief end-users about the risks of suspicious links, even within trusted SaaS platforms, as XSS attacks often rely on social engineering to trick users into clicking malicious URLs.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub