Critical StrongDM Authentication Flaw Allowed Session Hijacking via Local File Theft A severe vulnerability in StrongDM’s desktop application (CVE-2026-4387) was discovered by SpecterOps, enabling attackers to hijack user sessions by reusing locally stored authentication material. The flaw, present in versions prior to StrongDM Desktop 23.74.0 and CLI 53.77.0, stemmed from insecure storage of session data in a plaintext file (`C:\Users\<username>\.sdm\state.kv`). The file contained unencrypted JSON Web Tokens (JWTs) and cryptographic key pairs, accessible with only user-level permissions. Attackers could copy this file from a compromised system to another machine, allowing the StrongDM client to authenticate as the victim without credentials. The vulnerability persisted even when the file was replaced after application launch, bypassing protections and exposing weaknesses in the authentication flow. Additional risks included an exposed local endpoint (`http://127.0.0.1:65220/v2/authentication`) leaking JWTs and cached files storing sensitive data. The lack of host-environment binding for session tokens enabled cross-system reuse, amplifying the threat. Exploitation could grant attackers access to databases, servers, and cloud resources, facilitating lateral movement within enterprise networks. StrongDM addressed the issue by eliminating plaintext storage of authentication data, transitioning to platform-native secure storage (DPAPI on Windows, Keychain on macOS) and removing JWTs from the `state.kv` file. The vulnerability was reported in May 2025, patched in March 2026, and publicly disclosed on May 29, 2026, with broader details released on June 1, 2026. Security validation confirmed that session file reuse no longer grants unauthorized access.