CVE-2026-31381

Medium

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

rapid7·CWE-598·Published 2026-03-20

CVSS

5.3

EPSS

0.00

KEV

Exploits

cve.orgen

128 chars

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

NVDen

128 chars

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

NVDes

183 chars

Un atacante puede extraer direcciones de correo electrónico de usuario (IIP) expuestas en codificación base64 a través del parámetro state en la URL de devolución de llamada de OAuth.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	NVD	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N