Unencrypted storage of authentication state in StrongDM Desktop Application state.kv file
Summary
| CVE | CVE-2026-4387 |
|---|---|
| State | PUBLISHED |
| Assigner | StrongDM |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-29 20:16:30 UTC |
| Updated | 2026-06-01 17:17:35 UTC |
| Description | StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps). |
Risk And Classification
Primary CVSS: v4.0 2 LOW from ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000080000 probability, percentile 0.008000000 (date 2026-06-03)
Problem Types: CWE-312 | CWE-522 | CWE-312 CWE-312 Cleartext Storage of Sensitive Information | CWE-522 CWE-522 Insufficiently Protected Credentials
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b | Secondary | 2 | LOW | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 2 | LOW | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L |
CVSS v4.0 Breakdown
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | StrongDM | StrongDM Desktop Application | affected 23.74.0 semver | Windows |
| CNA | StrongDM | StrongDM Desktop Client | affected 53.77.0 semver | Windows |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| specterops.io/blog/2026/06/01/cve-2026-4387-strongdm-state-file-reuse | ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b | specterops.io | |
| security.strongdm.com | ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b | security.strongdm.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Hope Walker, SpecterOps (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2025-05-19T00:00:00.000Z | Initial coordinated disclosure submission received from SpecterOps. |
| CNA | 2025-12-12T00:00:00.000Z | Vendor reproduction testing performed on StrongDM Desktop Application 23.51.0. |
| CNA | 2026-04-01T00:00:00.000Z | Fix released in StrongDM Desktop Application 23.74.0 / Desktop Client 53.77.0. |
| CNA | 2026-04-01T13:20:00.000Z | Patch validation completed; condition not reproducible on the fixed release. |
| CNA | 2026-05-30T00:00:00.000Z | Public disclosure and CVE publication. |
Solutions
CNA: Upgrade the StrongDM Desktop Application to version 23.74.0 or later (Desktop Client 53.77.0 or later). The fixed release protects the state.kv file at rest using a platform-native data-protection mechanism (Windows DPAPI on Windows).