Critical StrongDM Authentication Flaw Allowed Session Hijacking via Local File Theft
A severe vulnerability in StrongDM’s desktop application (CVE-2026-4387) was discovered by SpecterOps, enabling attackers to hijack user sessions by reusing locally stored authentication material. The flaw, present in versions prior to StrongDM Desktop 23.74.0 and CLI 53.77.0, stemmed from insecure storage of session data in a plaintext file (C:\Users\<username>\.sdm\state.kv).
The file contained unencrypted JSON Web Tokens (JWTs) and cryptographic key pairs, accessible with only user-level permissions. Attackers could copy this file from a compromised system to another machine, allowing the StrongDM client to authenticate as the victim without credentials. The vulnerability persisted even when the file was replaced after application launch, bypassing protections and exposing weaknesses in the authentication flow.
Additional risks included an exposed local endpoint (http://127.0.0.1:65220/v2/authentication) leaking JWTs and cached files storing sensitive data. The lack of host-environment binding for session tokens enabled cross-system reuse, amplifying the threat. Exploitation could grant attackers access to databases, servers, and cloud resources, facilitating lateral movement within enterprise networks.
StrongDM addressed the issue by eliminating plaintext storage of authentication data, transitioning to platform-native secure storage (DPAPI on Windows, Keychain on macOS) and removing JWTs from the state.kv file. The vulnerability was reported in May 2025, patched in March 2026, and publicly disclosed on May 29, 2026, with broader details released on June 1, 2026. Security validation confirmed that session file reuse no longer grants unauthorized access.
Source: https://cybersecuritynews.com/strongdm-vulnerability/
StrongDM cybersecurity rating report: https://www.rankiteo.com/company/strongdm
"id": "STR1780388883",
"linkid": "strongdm",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Enterprises using StrongDM '
'Desktop (versions prior to '
'23.74.0) or CLI (versions prior '
'to 53.77.0)',
'industry': 'Cybersecurity, Identity and Access '
'Management (IAM)',
'name': 'StrongDM',
'type': 'Company'}],
'attack_vector': 'Local File Theft',
'customer_advisories': 'Users advised to update to StrongDM Desktop 23.74.0+ '
'or CLI 53.77.0+ to mitigate the vulnerability',
'data_breach': {'data_encryption': 'No (plaintext storage)',
'file_types_exposed': ['JSON Web Tokens (JWTs)',
'Cryptographic key pairs',
'Cached sensitive data'],
'sensitivity_of_data': 'High (authentication material '
'enabling unauthorized access)',
'type_of_data_compromised': 'Session tokens (JWTs), '
'cryptographic key pairs, '
'sensitive cached data'},
'date_detected': '2025-05',
'date_publicly_disclosed': '2026-05-29',
'date_resolved': '2026-03',
'description': 'A severe vulnerability in StrongDM’s desktop application '
'(CVE-2026-4387) enabled attackers to hijack user sessions by '
'reusing locally stored authentication material. The flaw '
'stemmed from insecure storage of session data in a plaintext '
'file (`C:\\Users\\\\.sdm\\state.kv`), which '
'contained unencrypted JSON Web Tokens (JWTs) and '
'cryptographic key pairs. Attackers could copy this file from '
'a compromised system to another machine, allowing the '
'StrongDM client to authenticate as the victim without '
'credentials. The vulnerability persisted even when the file '
'was replaced after application launch, exposing weaknesses in '
'the authentication flow. Additional risks included an exposed '
'local endpoint leaking JWTs and cached files storing '
'sensitive data. Exploitation could grant attackers access to '
'databases, servers, and cloud resources, facilitating lateral '
'movement within enterprise networks.',
'impact': {'data_compromised': 'Session tokens (JWTs), cryptographic key '
'pairs, sensitive cached data',
'identity_theft_risk': 'High (due to session hijacking and access '
'to sensitive resources)',
'operational_impact': 'Unauthorized access to databases, servers, '
'and cloud resources; lateral movement '
'within enterprise networks',
'systems_affected': 'StrongDM Desktop (versions prior to 23.74.0), '
'StrongDM CLI (versions prior to 53.77.0)'},
'investigation_status': 'Completed',
'lessons_learned': 'Insecure storage of authentication material can lead to '
'session hijacking and unauthorized access. '
'Platform-native secure storage solutions (e.g., DPAPI, '
'Keychain) should be used to protect sensitive data. '
'Session tokens should be bound to host environments to '
'prevent cross-system reuse.',
'post_incident_analysis': {'corrective_actions': 'Transitioned to '
'platform-native secure '
'storage, removed JWTs from '
'`state.kv` file, patched '
'vulnerable versions',
'root_causes': 'Insecure plaintext storage of '
'session tokens (JWTs) and '
'cryptographic key pairs in a local '
'file (`state.kv`), lack of '
'host-environment binding for '
'session tokens'},
'recommendations': ['Implement platform-native secure storage for '
'authentication material',
'Bind session tokens to host environments to prevent '
'cross-system reuse',
'Regularly audit and update authentication flows for '
'security weaknesses',
'Monitor for unauthorized access attempts using stolen '
'session tokens'],
'references': [{'source': 'SpecterOps'}],
'response': {'communication_strategy': 'Public disclosure on May 29, 2026, '
'with broader details released on June '
'1, 2026',
'containment_measures': 'Transitioned to platform-native secure '
'storage (DPAPI on Windows, Keychain on '
'macOS), removed JWTs from `state.kv` '
'file',
'recovery_measures': 'Security validation to confirm session '
'file reuse no longer grants unauthorized '
'access',
'remediation_measures': 'Eliminated plaintext storage of '
'authentication data, patched vulnerable '
'versions (Desktop 23.74.0+, CLI '
'53.77.0+)',
'third_party_assistance': 'SpecterOps (vulnerability discovery)'},
'title': 'Critical StrongDM Authentication Flaw Allowed Session Hijacking via '
'Local File Theft',
'type': 'Authentication Flaw',
'vulnerability_exploited': 'CVE-2026-4387'}