A critical security flaw, designated as CVE-2026-4387, has been identified in the StrongDM desktop application. The vulnerability allows an attacker to exfiltrate and reuse a user’s authentication state file to hijack their authenticated session.
Because StrongDM stored JSON Web Tokens (JWT) and cryptographic keys in plaintext within a local configuration file, adversaries could transfer this file across hosts to bypass authentication protocols.
This exploit requires user-level access to the file system but ultimately grants the attacker full access to the target’s authorized infrastructure.
StrongDM successfully patched this vulnerability by migrating to platform-native credential storage mechanisms. Users must update to StrongDM Desktop version 23.74.0 and CLI version 53.77.0 or later to secure their environments.
The vulnerability was unearthed during an extensive assessment by SpecterOps, spearheaded by Senior Security Researcher Hope Walker.
The investigation began with a forensic triage of files associated with the StrongDM desktop application, specifically targeting the user and program directories to understand the application’s local footprint.
The initial breakthrough occurred when researchers discovered an unencrypted cache file located at C:\Users\<username>\AppData\Roaming\StrongDM\Cache\Cache_data\data_1.
Upon inspecting the file, the team identified a JSON response containing a JWT. By utilizing Python and ROADtools libraries, the team decoded the token locally, confirming it was directly associated with the currently authenticated user session.
Further analysis revealed the origin of this token: a local endpoint at http://127.0.0.1:65220/v2/authentication. Initial attempts to intercept and manipulate traffic using traditional proxies like Burp Suite were unsuccessful.
However, by leveraging built-in command-line tools like curl.exe, the research team isolated the necessary parameters. They discovered that simply including the header Sec-Fetch-Mode: no-cors was sufficient to force the endpoint to return a valid JWT, provided the StrongDM desktop application was actively running.
While the JWT is a critical piece of the authentication puzzle, gaining full control over a session also requires the corresponding public and private key pairs.
To map the full authentication sequence, SpecterOps utilized Process Monitor to observe real-time file and registry interactions during a fresh login attempt. The telemetry highlighted repeated interactions with a specific key-value file:
C:\Users\<username>\.sdm\state.kv
When researchers opened state.kv, they found a treasure trove of plaintext authentication material. The file contained not only the JWT but also the complete public and private key pair required to establish a secure connection.
Crucially, evaluating the Access Control Lists (ACLs) on the file revealed that it only required standard user-level permissions to read and copy.
With the authentication material successfully isolated, the next objective was weaponization. Could this plaintext material be ported to a foreign host to hijack the session?
- Initial Access: The attacker requires user-level permissions on the victim’s machine (HOST1) to access the
C:\Users\<username>\.sdm\state.kvfile. - Exfiltration: The attacker copies the active
state.kvfile associated with the target user (USER1). - Implantation: On a separate, attacker-controlled machine within the environment (HOST2), the attacker launches StrongDM under their own account (USER2).
- Execution: The attacker overwrites the local state file at
C:\Users\<USER2>\.sdm\state.kvwith the exfiltrated file from USER1. - Session Hijack: When the StrongDM application refreshes, it consumes the injected state file, successfully authenticating the attacker as USER1 and granting access to all underlying infrastructure resources authorized for that account.
The assessment team didn’t stop at internal lateral movement. They pushed the boundaries by attempting to reuse the state file on a completely external, freshly deployed Virtual Machine.
Initial attempts failed because the StrongDM application detected environmental mismatches and cleared the state file upon launch.
However, operators discovered a reliable bypass constraint. By allowing the StrongDM desktop application to fully launch before injecting the exfiltrated state.kv file into the directory.
The application seamlessly consumed the new token on its next refresh cycle. This timing mechanism allowed the payload to successfully execute on entirely untrusted, external hardware.
Understanding the mechanics of CVE-2026-4387 is highly relevant for defensive and offensive security professionals operating in modern infrastructure environments.
- For Penetration Testers: This vulnerability highlights the critical importance of evaluating local client-side storage during internal network engagements. Relying on assumed zero-trust architecture can blind defenders to local credential harvesting. State file theft provides a silent, highly effective method for lateral movement and privilege escalation without triggering traditional network-based identity alerts.
- For SOC Analysts & DevSecOps: The exposure of plaintext cryptographic keys underscores the necessity of robust endpoint detection and response (EDR) rules. Security Operation Centers should prioritize monitoring the
.sdmdirectory for abnormal file read/write operations, particularly when initiated by non-standard processes or executed across unusual timeframes. - For Cloud Security Engineers: IAM architectures must enforce strict hardware binding or utilize TPM-backed token storage to ensure that valid tokens cannot be simply copy-pasted across different physical machines.
Mitigation
In response to the vulnerability report, StrongDM executed a comprehensive remediation strategy. The core issue storing sensitive authentication material in plaintext was resolved by migrating to platform-native credential storage solutions.
- Windows Environments: The application now utilizes the Data Protection API (DPAPI) to encrypt the authentication blobs.
- macOS Environments: The application leverages the native macOS Keychain for secure storage.
As of March 17, 2026, the updated architecture ensures that while the state.kv file still exists, it no longer contains the plaintext JWT.
Furthermore, the cache file (data_1) has been scrubbed of sensitive token data. SpecterOps validated the patch, confirming that transferring the file across hosts no longer grants session access, effectively neutralizing the attack vector.
Required Action: Organizations must immediately upgrade their deployments to StrongDM Desktop version 23.74.0 and CLI version 53.77.0 (or newer).
- May 15, 2025: SpecterOps begins investigating the StrongDM application during a broader assessment.
- May 30, 2025: Initial vulnerability report opened via HackerOne.
- Dec 3, 2025 – Dec 16, 2025: Initial administrative hurdles and erroneous closures across bug bounty platforms.
- Jan 7, 2026: SpecterOps and StrongDM establish direct communication; report is successfully reopened.
- March 24, 2026: StrongDM rolls out the remediation for Windows and macOS environments via CLI version 53.77.0.
- May 11-14, 2026: SpecterOps conducts comprehensive retesting, validating the DPAPI/Keychain fixes.
- May 29, 2026: CVE-2026-4387 is officially published to the Trust Center.
- June 1, 2026: Full public disclosure.
FAQ
What is CVE-2026-4387?
It is a vulnerability in StrongDM that allowed attackers to steal a plaintext state file and reuse it on another machine to hijack an authenticated session.
Which versions of StrongDM are affected by this vulnerability?
StrongDM Desktop versions prior to 23.74.0 and CLI versions prior to 53.77.0 are vulnerable.
How did StrongDM fix the state file reuse issue?
They stopped storing credentials in plaintext and moved to using platform-native encrypted storage like Windows DPAPI and macOS Keychain.
Do attackers need administrative privileges to execute this exploit?
No, an attacker only requires standard user-level permissions to access and copy the vulnerable state file.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
