Introduction
Recent research by Rapid7 Labs has uncovered a security chain affecting the Gainsight Assist plugin and its integration with app.gainsight.com. For security teams, this discovery highlights a critical risk vector: the convergence of client-side plugins and web application vulnerabilities.
By chaining an Information Disclosure flaw with a Reflected Cross-Site Scripting (XSS) vulnerability, attackers can escalate from passive observation to active exploitation within a user's browser session. For organizations utilizing Gainsight for customer success and email templating, this represents a significant risk to data integrity and user privacy. This post outlines the technical details, defensive detection strategies, and the immediate remediation steps required to secure your environment.
Technical Analysis
The vulnerability chain consists of two distinct CVEs that affect the Gainsight Assist ecosystem, specifically the Chrome and Outlook plugins interacting with the main Gainsight web application.
- CVE-2026-31381 (Information Disclosure): This vulnerability exists within the Gainsight Assist plugin. It allows an attacker to gather sensitive information passively. In the context of this attack chain, this information disclosure provides the necessary context or tokens to facilitate further exploitation.
- CVE-2026-31382 (Reflected Cross-Site Scripting): This flaw affects the
app.gainsight.comdomain. Reflected XSS occurs when an application accepts untrusted input and includes it in an HTTP response without proper sanitization or encoding.
The Attack Chain:
The danger here lies in the combination. An attacker can leverage the Information Disclosure vulnerability (CVE-2026-31381) to obtain specific details about the target environment or session. They then use these details to craft a precise payload that triggers the Reflected XSS vulnerability (CVE-2026-31382) against app.gainsight.com. If a user executes the malicious link (e.g., via a phishing email), the script runs in the context of the user's session, potentially allowing the attacker to perform actions on behalf of the user or access further data.
Affected Products:
- Gainsight Assist Chrome Plugin
- Gainsight Assist Outlook Plugin
Patch Status: Gainsight has addressed the XSS component via a server-side code-level fix deployed on March 6, 2026. The Information Disclosure vulnerability in the plugins was remediated with updates released on March 9, 2026.
Defensive Monitoring
To effectively defend against these vulnerabilities, security teams must focus on two areas: identifying vulnerable plugin versions in the environment and detecting potential exploitation attempts (XSS).
SIGMA Detection Rules
The following SIGMA rules help identify the presence of the Gainsight Assist plugins on endpoints and monitor for suspicious interactions with the application domain.
---
title: Gainsight Assist Outlook Add-in Loaded
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the loading of the Gainsight Assist Outlook Add-in DLL. Identifying hosts with this plugin is critical for vulnerability management tracking.
references:
- https://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed
author: Security Arsenal
date: 2026/03/10
tags:
- attack.initial_access
- attack.t1190
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains: 'Gainsight.Assist.Outlook'
falsepositives:
- Legitimate use of Gainsight Assist plugin
level: informational
---
title: Potential Suspicious Connection to Gainsight App
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects network connections to app.gainsight.com. While often legitimate, spikes or specific context can indicate usage of the vulnerable web interface.
references:
- https://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed
author: Security Arsenal
date: 2026/03/10
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains: 'app.gainsight.com'
falsepositives:
- Legitimate business use of Gainsight platform
level: low
KQL Queries
Query 1: Identify Devices Loading the Outlook Plugin This query for Microsoft Sentinel hunts for devices where the Outlook plugin DLL has been loaded, helping you prioritize patching.
DeviceImageLoadEvents
| where FolderPath endswith @"\Gainsight.Assist.Outlook.Addin.dll"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath
| summarize count() by DeviceName, FolderPath
**Query 2: Monitor for Suspicious Activity on Gainsight Domain**
Identify potential XSS probes or unusual access patterns to the Gainsight application.
DeviceNetworkEvents
| where RemoteUrl has "app.gainsight.com"
| where UrlOriginal contains "<" or UrlOriginal contains "javascript:" or UrlOriginal contains "alert("
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, UrlOriginal
Velociraptor VQL Artifacts
Use these VQL artifacts to hunt for the presence of the vulnerable plugin files on your endpoints.
-- Hunt for Gainsight Outlook Add-in files
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs='C:/Program Files/Microsoft Office/*/root/Office*/Addins/Gainsight*')
OR glob(globs='C:/Program Files (x86)/Microsoft Office/*/root/Office*/Addins/Gainsight*')
-- Hunt for Gainsight Chrome Extension Manifests (Generic path)
SELECT FullPath, Mtime
FROM glob(globs='**/Local/Google/Chrome/User Data/*/Extensions/*/*/manifest.')
WHERE read_file(filename=FullPath) =~ 'Gainsight'
Remediation Verification Script
This PowerShell script checks if the vulnerable plugin files exist on a Windows endpoint.
# Check for Gainsight Outlook Plugin
$paths = @(
"C:\Program Files\Microsoft Office",
"C:\Program Files (x86)\Microsoft Office"
)
$found = $false
foreach ($root in $paths) {
if (Test-Path $root) {
$files = Get-ChildItem -Path $root -Recurse -Filter "*Gainsight.Assist.Outlook*" -ErrorAction SilentlyContinue
if ($files) {
Write-Host "[!] Found Gainsight Assist Plugin:" -ForegroundColor Yellow
$files | Select-Object FullName, LastWriteTime
$found = $true
}
}
}
if (-not $found) {
Write-Host "[+] No Gainsight Outlook plugin files found in standard directories." -ForegroundColor Green
}
Remediation
To mitigate the risks posed by CVE-2026-31381 and CVE-2026-31382, organizations should take the following steps immediately:
- Update Plugins: Ensure all users update the Gainsight Assist plugin for both Chrome and Outlook to the latest version released on or after March 9, 2026. Enforce this update via browser management policies and software distribution tools for Outlook add-ins.
- Verify Server-Side Fix: Confirm that the SaaS environment
app.gainsight.comis running the patched code (deployed March 6, 2026). Most SaaS customers receive this automatically, but verify with your Gainsight representative if you utilize a dedicated instance or have specific security compliance requirements. - User Awareness: Briefly educate customer success and sales teams about the risks of clicking suspicious links, even those that appear to be related to internal tools like Gainsight, as the XSS vector relies on user interaction.
- Audit Access: Review access logs for
app.gainsight.comaround the patch dates to ensure no suspicious activity occurred before the remediation was applied.
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.