How to Protect Against Gainsight Assist Vulnerabilities: Patching CVE-2026-31381 and CVE-2026-31382

Security teams must remain vigilant regarding the software extensions integrated into their daily workflow tools. Recently, Rapid7 Labs disclosed a chain of vulnerabilities in the Gainsight Assist plugin—a tool widely used to sync email templates and customer data. By exploiting an information disclosure flaw (CVE-2026-31381) and a reflected cross-site scripting (XSS) vulnerability (CVE-2026-31382), attackers could escalate from passive information gathering to active client-side attacks against your users.

For defenders, this highlights the ongoing risk of "shadow IT" and browser extensions that interact with sensitive corporate data. Even trusted vendor tools can introduce attack vectors if not properly managed and updated.

Technical Analysis

The vulnerability chain identified by Rapid7 Labs involves two distinct CVEs affecting the Gainsight Assist plugin and its interaction with app.gainsight.com.

CVE-2026-31381: Information Disclosure

This vulnerability allows an attacker to passively disclose sensitive information. In the context of Gainsight Assist, this flaw potentially exposed user data or session details that should have been restricted. Information disclosure vulnerabilities are often the first step in a larger attack chain, providing the reconnaissance data needed to launch more sophisticated exploits.

CVE-2026-31382: Reflected Cross-Site Scripting (XSS)

The second flaw is a reflected XSS vulnerability. XSS occurs when an application includes untrusted data in a web page without proper validation or escaping. In this case, the vulnerability in the Gainsight Assist plugin could allow an attacker to execute arbitrary scripts in the context of a victim's browser. This can lead to session hijacking, credential theft, or the installation of malware.

The Attack Chain

The critical risk here is the chaining of these two vulnerabilities. An attacker could first use CVE-2026-31381 to gather necessary information (such as tokens or user identifiers) and then leverage CVE-2026-31382 to execute the attack, bypassing standard security controls.

Affected Products:

• Gainsight Assist Chrome Extension
• Gainsight Assist Outlook Plugin

Timeline and Fixes:

• March 6, 2026: Gainsight remediated the XSS vulnerability (CVE-2026-31382) via a server-side code-level fix.
• March 9, 2026: Gainsight released patched updates for the Chrome and Outlook plugins to address the Information Disclosure vulnerability (CVE-2026-31381).

Defensive Monitoring

To verify if your environment is protected, security teams should identify the version of Gainsight Assist currently installed on user endpoints. Since these are often user-installed plugins, checking via registry keys or file systems is necessary.

The following PowerShell script checks the Windows Registry for the presence and version of the Gainsight Assist Outlook Add-in. Note that specific version checking requires knowing the "Safe" version GUID released on March 9, 2026. Administrators should verify that the Version property returned by this script corresponds to the patched release or later.

<#
.SYNOPSIS
    Detects Gainsight Assist Outlook Add-in installation and version.
.DESCRIPTION
    Queries the registry for Gainsight entries under Outlook Add-ins.
    Administrators should verify the returned version against the patch release date (March 9, 2026).
#>

$OutlookAddinsPaths = @(
    "HKCU:\Software\Microsoft\Office\Outlook\Addins\",
    "HKLM:\Software\Microsoft\Office\Outlook\Addins\"
)

$FoundAddins = @()

foreach ($Path in $OutlookAddinsPaths) {
    if (Test-Path $Path) {
        # Get all subkeys (Add-in CLSIDs)
        $SubKeys = Get-ChildItem -Path $Path -ErrorAction SilentlyContinue
        
        foreach ($Key in $SubKeys) {
            # Check if the FriendlyName or default value contains Gainsight
            $Property = Get-ItemProperty -Path $Key.PSPath -ErrorAction SilentlyContinue
            
            if ($Property -match "Gainsight") {
                $Details = [PSCustomObject]@{
                    AddInName = $Property.FriendlyName
                    LoadBehavior = $Property.LoadBehavior
                    Path = $Key.PSPath
                    Version = $Property.Version # Note: Not all addins store version directly here
                }
                $FoundAddins += $Details
            }
        }
    }
}

if ($FoundAddins.Count -gt 0) {
    Write-Host "[+] Gainsight Assist Installation Detected:" -ForegroundColor Yellow
    $FoundAddins | Format-List
} else {
    Write-Host "[-] No Gainsight Add-in found in standard registry paths." -ForegroundColor Green
}

For the Chrome extension, if you manage browsers via Group Policy, you can verify the forced installation version. If users manage their own extensions, rely on the remediation steps below to enforce updates.

Remediation

To fully mitigate the risk posed by this vulnerability chain, organizations must ensure both the client-side plugins and the server-side interaction are secure. The server-side fix (XSS) is handled by Gainsight, but the client-side update (Information Disclosure) requires action on your endpoints.

1. Update Chrome Extension

• Navigate to the Chrome Web Store for Gainsight Assist.
• Ensure the extension is updated to the version released on or after March 9, 2026.
• If your organization manages Chrome extensions via policy, update the forced installation policy to the latest version ID.

2. Update Outlook Plugin

• Uninstall the current version of the Gainsight Assist plugin for Outlook.
• Download and install the latest version from the official Gainsight distribution channel (released March 9, 2026).
• Communicate with users to ensure they do not reinstall legacy versions from local archives.

3. Verify Server-Side Protection

• While the XSS fix (CVE-2026-31382) was applied server-side on March 6, 2026, ensure that your network proxies or firewalls are not blocking access to the updated app.gainsight.com endpoints, which could force a fallback to insecure states or outdated local caching.

4. User Awareness

• Inform users about the risks of browser extensions. Encourage them to report any unusual behavior in their email clients, such as unexpected pop-ups or redirections when using the Gainsight Assist plugin.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub