CVE-2026-4387

Vulnerability

CVE-2026-4387 is a cleartext storage vulnerability (CWE-312) in the StrongDM Desktop Application on Microsoft Windows [1]. All versions of the StrongDM Desktop Application below 23.74.0 and Desktop Client below 53.77.0 store authentication state – including a JSON Web Token and asymmetric key material – in cleartext in the per-user file C:\Users\\.sdm\state.kv [1]. The file is protected only by default user-level NTFS permissions, with no additional encryption or access controls [1].

Exploitation

Exploitation requires local read access to the affected user's profile directory on the target Windows host [1]. An attacker must already have a foothold on the system or be able to read files from that user's home directory. The necessary conditions include deployment and execution access to the target host, meaning a local user or process with read permissions to the state file can extract the stored token and keys [1].

Impact

Upon successful exploitation, an attacker gains access to the user's JSON Web Token and asymmetric key material stored in cleartext [1]. This can lead to disclosure of authentication credentials, potentially allowing the attacker to impersonate the user or access StrongDM-managed resources. The compromise is limited to the affected user's profile and the credentials stored in that file, with no privilege escalation beyond the user's context [1].

Mitigation

StrongDM has released fixed versions: update the StrongDM Desktop Application to version 23.74.0 or later, or the Desktop Client to version 53.77.0 or later [1]. No workarounds were disclosed, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication. Users should apply the update promptly to remediate the risk [1].