Low

StrongDM Desktop for Windows Cleartext Storage of Authentication State

IdentifiersCVE-2026-4387CWE-312· Cleartext Storage of Sensitive…

CVE-2026-4387 affects StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows. After successful login, the client stores authentication state in cleartext in the per-user file C:\Users<username>.sdm\state.kv. According to the provided content, this state file contains a JSON Web Token (JWT) and asymmetric key material, including a private/public key pair, and is protected only by default user-level NTFS permissions. The supporting content also indicates related exposure through a local endpoint and cached files retaining sensitive authentication data, and notes that the authentication material was not bound to the originating host, enabling reuse on another system. As a result, an attacker who can read the affected user's profile data can copy the stored authentication material and replay it to authenticate as that user.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to compromise of the victim's StrongDM session and unauthorized access to resources reachable through StrongDM, including databases, servers, and cloud resources. Because the stored JWT and key material can be reused on another host, the issue enables session hijacking and impersonation without needing the victim's credentials. In enterprise environments this can facilitate post-compromise lateral movement and broader unauthorized access, subject to the additional deployment and execution conditions noted in the source content.

Mitigation

If you can’t patch tonight, do this now.

Until patched versions are deployed, restrict local access to affected Windows systems and especially to user profile directories containing C:\Users<username>.sdm\state.kv. Limit untrusted local user access, reduce opportunities for post-compromise file theft, and monitor or harden access to the state file and related cached authentication artifacts. Because exploitation is local, host hardening and preventing unauthorized read access to the affected user's profile are the primary interim mitigations.

Remediation

Patch, then assume compromise.

Upgrade StrongDM Desktop Application to 23.74.0 or later and Desktop Client/CLI to 53.77.0 or later. The provided content states that StrongDM remediated the issue by removing plaintext storage of sensitive authentication data, eliminating JWTs from state.kv, and using secure platform-native secret storage such as DPAPI on Windows and Keychain on macOS. Validation should confirm that copied session files can no longer be reused across hosts.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

StrongDMDesktop Applicationapplication

StrongDMDesktop Clientapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyber security newsNews

Jun 2, 2026

Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Authentication

An authentication/session hijacking vulnerability in StrongDM Desktop and CLI caused by plaintext local storage of reusable authentication material, enabling attackers with user-level access on a compromised system to impersonate users and access managed infrastructure resources.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-4387

NVD

nvd.nist.gov/vuln/detail/CVE-2026-4387

MITRE CWE · CWE-312

Cleartext Storage of Sensitive Information

security.strongdm.com

security.strongdm.com/?tcuUid=56fde839-9388-4361-8d3b-9baa7b2de2ed

specterops.io

specterops.io/blog/2026/06/01/cve-2026-4387-strongdm-state-file-reuse