Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.
Published: 2026-04-21
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Unauthorized File Access
Action: Patch
AI Analysis

Impact

ClearanceKit monitors file‑system operations and enforces per‑process access rules. The flaw treats any process that has an empty Team ID but a non‑empty Signing ID as an Apple system binary. As a result, a malicious application can masquerade as an Apple process in the global allowlist, bypassing all protected‑file restrictions and obtaining unrestricted read/write access to system files.

Affected Systems

The affected product is ClearanceKit from vendor craigjbass. Versions prior to 5.0.5 contain the vulnerability; all later releases are not affected.

Risk and Exploitability

The vulnerability scores a CVSS of 8.4, indicating high severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. Exploitation requires local execution of a binary that meets the malformed Team/Signing ID criteria, allowing the attacker to gain privileged file‑system access on macOS systems where ClearanceKit is active.

Generated by OpenCVE AI on April 22, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClearanceKit to version 5.0.5 or later, which corrects the Team ID validation bug
  • If an upgrade is not immediately feasible, avoid running any locally crafted binaries with an empty Team ID and a non‑empty Signing ID on machines using ClearanceKit
  • Consider disabling ClearanceKit’s global allowlist feature or performing manual certificate validation for critical processes

Generated by OpenCVE AI on April 22, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:craigjbass:clearancekit:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craigjbass
Craigjbass clearancekit
Vendors & Products Craigjbass
Craigjbass clearancekit

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.
Title ClearanceKit: Ad-hoc signed binaries can spoof Apple process identities in the global allowlist
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Apple Macos
Craigjbass Clearancekit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T18:35:04.258Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40599

cve-icon Vulnrichment

Updated: 2026-04-21T18:34:48.837Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T18:16:51.693

Modified: 2026-04-24T20:50:42.683

Link: CVE-2026-40599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:00Z

Weaknesses