Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single compile-time baseline rule was enforced by opfilter. All managed (MDM-delivered) and user-defined file-access rules were not applied until the user interacted with policies through the GUI, triggering a policy mutation over XPC. This issue has been patched in version 4.2.14.
Published: 2026-03-31
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

ClearanceKit intercepts file‑system access events on macOS. Prior to version 4.2.14 the opfilter started enforcing only a single compile‑time baseline rule, leaving all MDM‑delivered and user‑defined file‑access policies inactive until the user first interacted with the GUI. This allowed processes to read, write, or delete files outside the intended scope, potentially enabling data theft or manipulation. The weakness is a privilege escalation issue (CWE‑269).

Affected Systems

The vulnerability affects the macOS version of ClearanceKit distributed by craigjbass. Any installation prior to version 4.2.14 is affected. The product is used to enforce per‑process file‑system access controls.

Risk and Exploitability

The CVSS base score is 6.3, indicating moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need local access to a macOS machine running ClearanceKit before the policy is modified, and can exploit the window between service start and first GUI interaction to access files that should be protected.

Generated by OpenCVE AI on April 6, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ClearanceKit to version 4.2.14 or later, which includes the patch for the policy‑enforcement defect.
  • Verify the installed clearancekit version to confirm the update.
  • As a temporary measure, disable ClearanceKit or restrict its runtime until the patch is applied.
  • Review file‑system access logs for any unauthorized activity during the vulnerable window.

Generated by OpenCVE AI on April 6, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:craigjbass:clearancekit:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Craigjbass
Craigjbass clearancekit
Vendors & Products Craigjbass
Craigjbass clearancekit

Tue, 31 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single compile-time baseline rule was enforced by opfilter. All managed (MDM-delivered) and user-defined file-access rules were not applied until the user interacted with policies through the GUI, triggering a policy mutation over XPC. This issue has been patched in version 4.2.14.
Title ClearanceKit: Managed and user-defined policy rules not enforced between opfilter start and first policy modification
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Craigjbass Clearancekit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:18:12.722Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34218

cve-icon Vulnrichment

Updated: 2026-04-02T15:18:03.648Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T16:16:31.670

Modified: 2026-04-06T15:04:33.150

Link: CVE-2026-34218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:03Z

Weaknesses