CVE-2026-4387: CWE-312 Cleartext Storage of Sensitive Information in StrongDM StrongDM Desktop Application
StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).
AI Analysis
Technical Summary
The vulnerability CVE-2026-4387 affects StrongDM Desktop Application on Windows platforms prior to version 23.74.0 (Desktop Client before 53.77.0). It involves cleartext storage of sensitive authentication state data, including JSON Web Tokens and asymmetric key material, in a per-user state file (state.kv) under the user's profile directory. The file is only protected by default NTFS permissions, which means any local user with read access to the profile directory could potentially access these sensitive credentials. Exploitation requires local access and additional deployment conditions. No official patch or remediation level has been published by the vendor as of the provided data.
Potential Impact
Exposure of authentication tokens and key material in cleartext could allow an attacker with local read access to the user's profile directory to obtain credentials that may facilitate unauthorized access or impersonation within the StrongDM environment. However, exploitation requires local access and specific conditions, limiting the scope and ease of exploitation. The CVSS score of 2 (low severity) reflects the limited attack vector and complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local access to user profile directories and ensure NTFS permissions are properly configured to prevent unauthorized read access. Monitor vendor communications for updates regarding patches or official mitigations.
CVE-2026-4387: CWE-312 Cleartext Storage of Sensitive Information in StrongDM StrongDM Desktop Application
Description
StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).
CVSS v4.0
Score 2.0low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-4387 affects StrongDM Desktop Application on Windows platforms prior to version 23.74.0 (Desktop Client before 53.77.0). It involves cleartext storage of sensitive authentication state data, including JSON Web Tokens and asymmetric key material, in a per-user state file (state.kv) under the user's profile directory. The file is only protected by default NTFS permissions, which means any local user with read access to the profile directory could potentially access these sensitive credentials. Exploitation requires local access and additional deployment conditions. No official patch or remediation level has been published by the vendor as of the provided data.
Potential Impact
Exposure of authentication tokens and key material in cleartext could allow an attacker with local read access to the user's profile directory to obtain credentials that may facilitate unauthorized access or impersonation within the StrongDM environment. However, exploitation requires local access and specific conditions, limiting the scope and ease of exploitation. The CVSS score of 2 (low severity) reflects the limited attack vector and complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local access to user profile directories and ensure NTFS permissions are properly configured to prevent unauthorized read access. Monitor vendor communications for updates regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- StrongDM
- Date Reserved
- 2026-03-18T13:52:47.802Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19e68ee29bf47b50037d7f
Added to database: 5/29/2026, 7:18:38 PM
Last enriched: 5/29/2026, 7:33:40 PM
Last updated: 5/29/2026, 8:23:19 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.