Description
StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions.



Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host.



The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).
Published: 2026-05-29
Score: 2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

StrongDM Desktop Application stores a JSON Web Token and asymmetric key material in cleartext within the user's state.kv file. If an attacker can read the target user’s profile directory, they can retrieve both the token and the key material, which may enable authentication as that user or further credential theft. The vulnerability exemplifies insecure storage (CWE‑312) and inadequate protection of credentials (CWE‑522).

Affected Systems

StrongDM Desktop Application and Desktop Client on Microsoft Windows versions prior to 23.74.0 and 53.77.0 respectively. The vulnerable file is located at C:\Users\<username>\.sdm\state.kv and is protected only by default user‑level NTFS permissions.

Risk and Exploitability

The CVSS score of 2 indicates low severity. The EPSS score is not available, suggesting a low probability of exploitation. The flaw can only be leveraged by users who have local read access to the victim’s profile and who meet the deployment and execution conditions described by the vendor. It is not catalogued in the CISA KEV list, so it has not been linked to known large‑scale attacks, yet local compromise of the token can lead to significant credential misuse.

Generated by OpenCVE AI on May 29, 2026 at 20:23 UTC.

Remediation

Vendor Solution

Upgrade the StrongDM Desktop Application to version 23.74.0 or later (Desktop Client 53.77.0 or later). The fixed release protects the state.kv file at rest using a platform-native data-protection mechanism (Windows DPAPI on Windows).

OpenCVE Recommended Actions

  • Upgrade the StrongDM Desktop Application to version 23.74.0 or later and the Desktop Client to 53.77.0 or later, which enforce platform‑native protection of the state file.
  • If an upgrade cannot be performed immediately, adjust the NTFS permissions on the C:\Users\<username>\.sdm folder to grant read access only to the intended account or administrators.
  • Monitor the .sdm state files for abnormal access and ensure users follow least‑privilege practices until the patch is applied.

Generated by OpenCVE AI on May 29, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).
Title Unencrypted storage of authentication state in StrongDM Desktop Application state.kv file
Weaknesses CWE-312
CWE-522
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: StrongDM

Published:

Updated: 2026-05-29T19:49:33.218Z

Reserved: 2026-03-18T13:52:47.802Z

Link: CVE-2026-4387

cve-icon Vulnrichment

Updated: 2026-05-29T19:49:25.134Z

cve-icon NVD

Status : Received

Published: 2026-05-29T20:16:30.650

Modified: 2026-05-29T20:16:30.650

Link: CVE-2026-4387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:30:07Z

Weaknesses