CVE-2026-4387
Authentication State Exposure in StrongDM Desktop
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: StrongDM
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| strongdm | desktop_application | to 23.74.0 (exc) |
| strongdm | desktop_client | to 53.77.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the StrongDM Desktop Application before version 23.74.0 on Microsoft Windows. It involves the application storing sensitive authentication information, including a JSON Web Token and asymmetric key material, in cleartext within a per-user state file located at C:\Users\<username>\.sdm\state.kv.
The file is only protected by default user-level NTFS permissions, meaning that if an attacker gains local read access to the affected user's profile directory, they could potentially access this sensitive information.
Exploitation requires local access and additional conditions on the target host, so it is not remotely exploitable without prior access.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker with local read access to the user's profile directory to obtain authentication tokens and key material stored in cleartext.
This could lead to unauthorized access to the StrongDM Desktop Application or related systems, potentially compromising user accounts or sensitive data.
However, exploitation requires local access and specific conditions, which limits the risk to scenarios where an attacker already has some level of access to the target machine.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the storage of authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv on affected Windows systems.
Detection can be performed by checking for the presence of the file state.kv in the .sdm directory within user profiles and inspecting its contents for sensitive authentication data stored in cleartext.
- Use the command to locate the file for a specific user: dir C:\Users\<username>\.sdm\state.kv
- Use a command to display the contents of the file, for example: type C:\Users\<username>\.sdm\state.kv
- Check NTFS permissions on the file to confirm it is only protected by default user-level permissions: icacls C:\Users\<username>\.sdm\state.kv
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local read access to the affected user's profile directory to prevent unauthorized access to the cleartext authentication state file.
Additionally, updating the StrongDM Desktop Application to version 23.74.0 or later (Desktop Client 53.77.0 or later) will address this vulnerability by changing how authentication state is stored.
Until an update is applied, ensure that only trusted users have access to the affected user profiles and consider monitoring access to the .sdm directory.