Skip to main content

StrongDM Desktop CVE-2026-4387

| EUVDEUVD-2026-33417 LOW
Cleartext Storage of Sensitive Information (CWE-312)
2026-05-29 StrongDM GHSA-qgjm-4mg2-6wm5
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 21:51 vuln.today
Patch available
May 29, 2026 - 21:02 EUVD
CVSS changed
May 29, 2026 - 20:22 NVD
2.0 (LOW)
CVE Published
May 29, 2026 - 18:28 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions.

Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host.

The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).

AnalysisAI

StrongDM Desktop Application on Microsoft Windows exposes authentication secrets - including JSON Web Tokens and asymmetric key material - by writing them in cleartext to C:\Users\<username>\.sdm\state.kv, a per-user state file protected solely by default NTFS user-level permissions. Versions prior to Desktop Application 23.74.0 and Desktop Client 53.77.0 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege Windows session
Delivery
Navigate to C:\Users\<username>\.sdm\state.kv
Exploit
Read cleartext JWT and key material
Execution
Replay credentials against StrongDM
Impact
Access victim's authorized infrastructure resources

Vulnerability AssessmentAI

Exploitation Exploitation requires a local Windows session with at minimum read access to the target user's profile directory (C:\Users\<username>\.sdm\state.kv). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.0 accurately reflects a narrow, locally-constrained vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained local low-privilege access to a Windows endpoint - for example, via malware, a compromised shared account, or physical access - navigates to C:\Users\<targetuser>\.sdm\state.kv and reads the plaintext file to extract the victim's JWT and asymmetric key material. With these credentials, the attacker can authenticate to StrongDM as the victim user and access any databases, servers, or cloud resources the victim was authorized to reach through the StrongDM gateway, potentially without triggering new authentication prompts. …
Remediation Upgrade StrongDM Desktop Application to version 23.74.0 or later and StrongDM Desktop Client to version 53.77.0 or later, as confirmed by the vendor advisory at https://security.strongdm.com/?tcuUid=56fde839-9388-4361-8d3b-9baa7b2de2ed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy