The vulnerability resides in ClearanceKit’s handling of dual‑path Endpoint Security events. The handler checks only the source path of file operations such as rename, link, copyfile, exchangedata, and clone, while ignoring the destination path. This oversight allows any local process to place or overwrite files in protected directories by leveraging those operations, effectively bypassing the intended per‑process access controls. The consequence is that a compromised or malicious local process can inject files into sandboxed locations, potentially enabling further exploitation or persistence.

The affected product is ClearanceKit, developed by craigjbass for macOS. All releases prior to 5.0.4‑beta‑1f46165 are vulnerable. The patch introduced in 5.0.4‑beta‑1f46165 corrects the policy enforcement logic to evaluate both source and destination paths.

The CVSS score is 6.8, indicating moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog, suggesting no public exploit evidence yet. A local attacker can exploit the flaw by executing any of the supported file operations against protected directories; the attack vector is inferred to be local because it requires a process running on the same system. Successful exploitation permits the attacker to alter critical files or introduce malicious artifacts, potentially leading to privilege escalation or persistence depending on the protected directories involved.