CVE-2026-4387
LowCVSS 2.0Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
The StrongDM Desktop Application before version 23.74.0 (Desktop Client before version 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file. This file is located at C:\Users\<username>\.sdm\state.kv and is protected only by default user-level NTFS permissions.
Risk Assessment
Exploitation of this vulnerability requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host, which may lead to unauthorized access to sensitive authentication data.
Recommendation
It is recommended to update the StrongDM application to the latest version to eliminate the storage of authentication data in cleartext. Additionally, access to the user profile directory should be restricted and NTFS permissions monitored.
Original NVD description (English source)
StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).

