Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.6, the opfilter Endpoint Security system extension (bundle ID uk.craigbass.clearancekit.opfilter) can be suspended with SIGSTOP or kill -STOP, or killed with SIGKILL/SIGTERM, by any process running as root. While the extension is suspended, all AUTH Endpoint Security events time out and default to allow, silently disabling ClearanceKit's file-access policy enforcement for the duration of the suspension. This vulnerability is fixed in 5.0.6.
Published: 2026-04-21
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: Privilege Escalation / Policy Bypass
Action: Patch
AI Analysis

Impact

ClearanceKit intercepts file-system access events on macOS and enforces per‑process access policies. A root process can suspend or kill its opfilter Endpoint Security system extension, causing all AUTH events to time out and default to allow. During this period ClearanceKit’s file‑access policy enforcement is silently disabled, letting a privileged process read, write or execute files that should be blocked.

Affected Systems

The affected product is ClearanceKit for macOS. Versions prior to 5.0.6 are vulnerable; the specific extension bundle ID is uk.craigbass.clearancekit.opfilter. Any process running as root on the same system can exploit this flaw.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability, and although EPSS data is not available, the risk remains significant because any root process can trigger the attack. The flaw is not listed in CISA’s KEV catalog. An attacker with local root privileges can temporarily disable ClearanceKit’s security controls, achieving privileged access to protected files and data.

Generated by OpenCVE AI on April 22, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading ClearanceKit to version 5.0.6 or later.
  • Restrict root privileges for processes that do not require them; run non‑privileged services in a container or sandbox where possible.
  • Audit and monitor for SIGSTOP, SIGKILL or SIGTERM signals sent to uk.craigbass.clearancekit.opfilter and investigate any unexpected activity.

Generated by OpenCVE AI on April 22, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.6, the opfilter Endpoint Security system extension (bundle ID uk.craigbass.clearancekit.opfilter) can be suspended with SIGSTOP or kill -STOP, or killed with SIGKILL/SIGTERM, by any process running as root. While the extension is suspended, all AUTH Endpoint Security events time out and default to allow, silently disabling ClearanceKit's file-access policy enforcement for the duration of the suspension. This vulnerability is fixed in 5.0.6.
Title ClearanceKit: opfilter system extension can be suspended or signalled by a root process, disabling file-access policy enforcement
Weaknesses CWE-693
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:36:53.181Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40604

cve-icon Vulnrichment

Updated: 2026-04-21T19:55:06.310Z

cve-icon NVD

Status : Received

Published: 2026-04-21T18:16:51.977

Modified: 2026-04-21T18:16:51.977

Link: CVE-2026-40604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses