v yCwLPaKsE NB BXhi mWhFFY YcZc

Technical Analysis: Session Hijacking and Token Replay Vulnerability in StrongDM (CVE-2026-4387)

A significant security flaw, tracked as CVE-2026-4387, has been disclosed in StrongDM’s architecture. The vulnerability facilitates unauthorized infrastructure access by allowing attackers to exfiltrate, manipulate, and reuse authentication tokens. This flaw poses a severe risk to enterprise environments that rely on StrongDM for centralized access management to sensitive cloud resources and databases.

The vulnerability was identified by Hope Walker, a researcher at SpecterOps, and impacts both the StrongDM desktop client and the Command Line Interface (CLI) in versions prior to the current security patches.

The Mechanics of the Flaw: Insecure Local State Persistence

The core of the issue lies in the insecure handling of session persistence. Upon a successful user authentication event, the StrongDM desktop application generated a local state file to maintain the session. This file, named state.kv, was stored in the user’s local directory (e.g., C:\Users\<username>\.sdm\state.kv).

From a technical standpoint, the state.kv file was critically flawed because it stored highly sensitive cryptographic material in plaintext. Specifically, the file contained a JSON Web Token (JWT) alongside a corresponding public/private key pair. Because these assets were not encrypted or bound to the specific hardware, they were highly portable.

As detailed in the SpecterOps research, an attacker with standard user-level privileges could copy this file and transplant it onto a different machine. When the StrongDM application is launched on the secondary host, it parses the stolen state.kv file, assumes the identity of the original user, and grants full access to protected resources without triggering a new authentication challenge or Multi-Factor Authentication (MFA) prompt.

Authentication Endpoint diagram showing the local service interaction
Authentication Endpoint Analysis (Source: SpecterOps)

In a real-world exploit scenario, this bypasses the entire identity provider (IdP) layer. An attacker does not need to crack passwords or intercept MFA codes; they simply need to hijack the existing session state to interact with databases, servers, and cloud infrastructure as a legitimate, authenticated user.

Process Monitor showing state.kv access
Identification of state.kv access via Process Monitor (Source: SpecterOps)

Further forensic analysis revealed an additional attack vector: the JWT could be retrieved via a local loopback endpoint (http://127.0.0.1:65220/v2/authentication) using minimal HTTP request headers. This allowed for even easier token extraction during an active session. When combined with the plaintext key pair in the state file, the result is a complete session replay capability that remains effective even across different network environments.

Root Cause and Remediation

The fundamental security failure is two-fold: insecure local storage of secrets and a lack of device binding. By failing to tie the session token to the unique hardware fingerprint of the originating device, StrongDM allowed tokens to be globally valid across any machine that could load the file.

Verification of state.kv file reuse
State.kv File Reuse Verification (Source: SpecterOps)

StrongDM has released critical updates to mitigate this risk:

  • Desktop Version: Update to 23.74.0 or later.
  • CLI Version: Update to 53.77.0 or later.

The remediation involves migrating from plaintext JSON storage to platform-native secure enclaves. On Windows, the application now utilizes the Data Protection API (DPAPI), and on macOS, it leverages the Keychain. These mechanisms ensure that even if the state.kv file is exfiltrated, the encapsulated secrets cannot be decrypted on a different device.

Recommended Actions for Security Teams

  1. Immediate Patching: Prioritize updating all StrongDM endpoints (Desktop and CLI) to the patched versions listed above.
  2. Endpoint Monitoring: Audit local file access patterns on workstations, specifically looking for unauthorized access to the .sdm directory.
  3. Session Auditing: Review StrongDM access logs for anomalous login locations or unexpected concurrent sessions from the same user identity.
  4. Zero Trust Enforcement: Strengthen endpoint security controls to prevent the initial local file exfiltration that enables this attack chain.

This vulnerability serves as a vital reminder that session management is not just about the strength of the initial authentication, but the security of the artifacts left behind on the local machine.

Related Articles

Back to top button