Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events. Seven additional file operation event types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH_RENAME and AUTH_UNLINK additionally preserve XProtect change detection: events on the XProtect path are allowed and trigger the existing onXProtectChanged callback rather than being evaluated against user policy. All versions on the 4.2 branch contain the fix. No known workarounds are available.
Published: 2026-03-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Patch Now
AI Analysis

Impact

ClearanceKit, a macOS file‑system access interceptor, enforced per‑process access policies by monitoring only ES_EVENT_TYPE_AUTH_OPEN events. In versions 4.1 and earlier, other file operation events were ignored, allowing any locally running process to read or modify files regardless of the configured policies. This violates the intended confidentiality and integrity controls for protected files and can be exploited by a local user to bypass the Access Policy Enforcement (FAA) mechanism.

Affected Systems

The affected vendor is ClearanceKit, with products on the 4.1 branch and earlier being vulnerable. All releases on the 4.2 branch include the fix and are no longer affected.

Risk and Exploitability

The vulnerability carries a CVSS base score of 8.7, indicating high severity. No EPSS score is provided, and the issue is not listed in CISA’s KEV catalog, but the attack vector requires local process execution, which is likely for any user on the system. An attacker who can run code locally can exploit the bypass to read or modify files protected by ClearanceKit’s FAA policies, potentially escalating privileges and compromising system integrity.

Generated by OpenCVE AI on March 26, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClearanceKit to version 4.2 or later, which includes the required event subscriptions for all file operation types.
  • Verify that the updated extension is active and that FAA policies are enforced as expected.
  • If an upgrade is not possible immediately, restrict local user file access permissions and monitor for unauthorized file activity.
  • Consider disabling ClearanceKit temporarily until a patched version can be deployed.

Generated by OpenCVE AI on March 26, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:craigjbass:clearancekit:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Craigjbass
Craigjbass clearancekit
Vendors & Products Craigjbass
Craigjbass clearancekit

Thu, 26 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events. Seven additional file operation event types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH_RENAME and AUTH_UNLINK additionally preserve XProtect change detection: events on the XProtect path are allowed and trigger the existing onXProtectChanged callback rather than being evaluated against user policy. All versions on the 4.2 branch contain the fix. No known workarounds are available.
Title ClearanceKit: opfilter policy bypass via non-open file operations
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Craigjbass Clearancekit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T14:55:32.151Z

Reserved: 2026-03-23T14:24:11.618Z

Link: CVE-2026-33631

cve-icon Vulnrichment

Updated: 2026-03-30T14:00:54.650Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:16.110

Modified: 2026-04-20T20:22:55.200

Link: CVE-2026-33631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:28Z

Weaknesses