Critical StrongDM Flaw: Attackers Steal & Reuse Vulnerability Allows

A critical authentication flaw has been identified in StrongDM’s desktop application. This vulnerability allows attackers to hijack user sessions by reusing locally stored authentication material, potentially exposing sensitive enterprise infrastructure.

The issue, tracked as CVE-2026-4387, was discovered by SpecterOps during a security assessment and has been fixed in StrongDM Desktop version 23.74.0 and CLI version 53.77.0.

The vulnerability originates from how StrongDM stored session data on disk. After a successful login, the application saved authentication material in a file located at C:Users<username>.sdmstate.kv.

This file contained a JSON Web Token (JWT) along with a public and private key pair, all stored in plaintext.

Critical StrongDM Vulnerability

Since the file only required user-level permissions to access, an attacker with system-level access could extract it without elevated privileges.

SpecterOps demonstrated that this state file could be reused to impersonate a legitimate user.

Attackers could copy a KV state file from a compromised system to another machine, allowing the StrongDM client to automatically authenticate as the victim and access infrastructure resources without credentials.

The attack worked reliably even across external hosts by replacing the file after application launch, bypassing startup-file protections and exposing additional weaknesses in the authentication flow.

A local endpoint at http://127.0.0.1:65220/v2/authentication exposed JWT tokens when queried with minimal headers, and cached files such as data_1 also stored sensitive authentication data.

The lack of binding between session tokens and the host environment enabled the reuse of authentication material across different systems.

The impact of this vulnerability is significant, as it enables full session hijacking without requiring credentials.

Attackers could access databases, servers, and cloud resources managed through StrongDM and potentially move laterally within enterprise environments.

The fact that only user-level permissions are required lowers the barrier for exploitation, especially in post-compromise scenarios.

StrongDM remediated the issue by removing plaintext storage of sensitive authentication data.

The updated versions now use platform-native secure storage mechanisms such as DPAPI on Windows and Keychain on macOS.

Additionally, JWTs are no longer stored in the state.KV file, preventing reuse across systems. Security validation confirmed that transferring session files between hosts no longer results in authenticated access.

The vulnerability was initially reported in May 2025, with a fix implemented in March 2026.

According to SpecterOps, CVE-2026-4387 was publicly disclosed on May 29, 2026, followed by a broader disclosure on June 1, 2026.

Users are strongly advised to update to the latest versions to mitigate any potential risk.

This incident highlights the dangers of insecure local credential storage. It emphasizes the importance of protecting authentication tokens through secure storage and proper session binding to prevent reuse attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.