PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4387 StrongDM CVE debrief

CVE-2026-4387 documents a local information disclosure vulnerability in StrongDM Desktop Application versions prior to 23.74.0 (Desktop Client prior to 53.77.0) on Microsoft Windows. The application stores authentication state—including a JSON Web Token and asymmetric key material—in cleartext within a per-user state file located at C:Users<username>.sdmstate.kv. The file relies solely on default user-level NTFS permissions for protection. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The vulnerability was reported through coordinated disclosure by Hope Walker of SpecterOps. The CVSS 4.0 vector indicates local attack vector with low attack complexity, partial attack timing, low privileges required, and no user interaction, with low impacts to confidentiality, integrity, and availability of the system and subsequent systems. The vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information) and CWE-522 (Insufficiently Protected Credentials).

Vendor
StrongDM
Product
StrongDM Desktop Application
CVSS
LOW 2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations deploying StrongDM Desktop Application or Desktop Client on Windows endpoints should prioritize patching, particularly in shared workstation environments, development environments with multiple user accounts, or scenarios where endpoint compromise is a concern. Security teams should assess exposure of state.kv files in backup systems and user profile roaming shares.

Technical summary

The StrongDM Desktop Application on Windows persists authentication state to a JSON-formatted state file (state.kv) in the user's home directory under .sdm. This file contains a JSON Web Token and asymmetric private key material stored without encryption. The vulnerability exists because the application does not implement cryptographic protection for sensitive authentication artifacts at rest. Access to this file is governed by standard NTFS user profile permissions, meaning any process executing with the user's privileges or any attacker with local access to the user's profile can extract valid authentication tokens and key material. The CVSS 4.0 score of 2.0 (LOW severity) reflects the local attack vector and the requirement for existing local access, though the impact of credential compromise could enable lateral movement or unauthorized access to StrongDM-managed infrastructure. The vulnerability was remediated in Desktop Application 23.74.0 and Desktop Client 53.77.0.

Defensive priority

low

Recommended defensive actions

  • Upgrade StrongDM Desktop Application to version 23.74.0 or later, or Desktop Client to version 53.77.0 or later to remediate the cleartext credential storage vulnerability.
  • Review and restrict file system permissions on user profile directories to minimize exposure of sensitive state files.
  • Audit endpoints for presence of .sdmstate.kv files in user profiles and verify that upgraded versions have replaced legacy state files.
  • Monitor for unauthorized access attempts to user profile directories containing StrongDM state files.
  • Implement endpoint detection and response (EDR) policies to alert on suspicious read operations targeting authentication state files.

Evidence notes

Vulnerability description and technical details sourced from NVD record published 2026-05-29. Vendor attribution derived from reference domain candidate 'Strongdm' with low confidence; vendor name marked as 'Unknown Vendor' pending verification. CVSS 4.0 vector and weakness classifications (CWE-312, CWE-522) obtained from NVD enrichment data. Coordinated disclosure attribution to Hope Walker (SpecterOps) per CVE description.

Official resources

2026-05-29