Critical StrongDM Vulnerability Allowed Session Hijacking via Plaintext Credentials
A critical flaw in StrongDM's desktop application enabled attackers to steal and reuse authentication tokens, leading to session hijacking and unauthorized access to sensitive enterprise infrastructure.
A critical authentication vulnerability, identified as CVE-2026-4387, has been discovered in StrongDM's desktop application, allowing threat actors to hijack user sessions by stealing and reusing plaintext authentication materials stored locally. This flaw could grant attackers unfettered access to sensitive enterprise infrastructure managed through StrongDM.
The vulnerability stems from how StrongDM's desktop client handled session data. Upon a successful login, the application would save authentication credentials, including a JSON Web Token (JWT) and associated public and private keys, in a plaintext file named state.kv located within the user's .sdm directory. This file was accessible with only user-level permissions, making it a prime target for attackers who had already gained some level of access to a victim's system.
SpecterOps, the security firm that discovered the vulnerability, demonstrated that an attacker could simply copy this state.kv file from a compromised machine to another system. The StrongDM client on the new machine would then automatically authenticate as the legitimate user, effectively allowing session hijacking without the need for any credentials. This attack vector was shown to be effective even when transferring the file across different hosts, bypassing certain security measures designed to protect against such reuse.
Further analysis revealed that a local endpoint at http://127.0.0.1:65220/v2/authentication could also expose JWT tokens with minimal headers. Additionally, cached files like data_1 were found to store sensitive authentication data. The core issue was the lack of binding between the session tokens and the specific host environment, which facilitated the reuse of authentication material across disparate systems.
The impact of this vulnerability is severe. It enables complete session hijacking, allowing attackers to access critical resources such as databases, servers, and cloud environments managed by StrongDM. The ease of exploitation, requiring only user-level privileges, significantly lowers the barrier for attackers, particularly in post-compromise scenarios where lateral movement is a common objective.
StrongDM has addressed this critical flaw by implementing robust security measures in its latest versions. The company has removed the plaintext storage of sensitive authentication data. Instead, the updated StrongDM Desktop (version 23.74.0) and CLI (version 53.77.0) now utilize platform-native secure storage mechanisms, such as DPAPI on Windows and Keychain on macOS. JWTs are no longer stored in the state.kv file, effectively preventing their reuse across different systems.
SpecterOps initially reported the vulnerability in May 2025, with StrongDM implementing a fix in March 2026. The vulnerability was publicly disclosed on May 29, 2026, with broader details emerging on June 1, 2026. Users are strongly urged to update their StrongDM applications to the latest versions to mitigate the risk of session hijacking and unauthorized access.
This incident underscores the critical importance of secure credential storage practices. It highlights the potential dangers of storing sensitive authentication tokens in plaintext files and emphasizes the necessity of implementing proper session binding mechanisms to prevent sophisticated reuse attacks.