CVE-2026-4387

UNKNOWN 0.0

Unencrypted storage of authentication state in StrongDM Desktop Application state.kv file

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

1th

StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).

CWE	CWE-312 CWE-522
Vendor	strongdm
Product	strongdm desktop application
Published	May 29, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for strongdm strongdm desktop application

Be the first to know when new unknown vulnerabilities affecting strongdm strongdm desktop application are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

StrongDM / StrongDM Desktop Application

0 < 23.74.0

StrongDM / StrongDM Desktop Client

0 < 53.77.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.strongdm.com: https://security.strongdm.com/?tcuUid=56fde839-9388-4361-8d3b-9baa7b2de2ed specterops.io: https://specterops.io/blog/2026/06/01/cve-2026-4387-strongdm-state-file-reuse/

Credits

Hope Walker, SpecterOps