Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single compile-time baseline rule was enforced by opfilter. All managed (MDM-delivered) and user-defined file-access rules were not applied until the user interacted with policies through the GUI, triggering a policy mutation over XPC. This issue has been patched in version 4.2.14.
AnalysisAI
ClearanceKit on macOS fails to enforce managed and user-defined file-access policies during startup, allowing local processes to bypass intended access controls until GUI interaction triggers policy reloading. The vulnerability affects ClearanceKit versions prior to 4.2.14, where two startup defects create a window in which only a hardcoded baseline rule is enforced, leaving the system vulnerable to privilege escalation and unauthorized file access. This issue is not confirmed actively exploited, but the trivial attack vector (local, no authentication) and high integrity/system impact make it a meaningful risk for systems relying on ClearanceKit for file-access enforcement.
Technical ContextAI
ClearanceKit is a macOS kernel extension or system service that implements per-process file-system access policies through an opfilter enforcement mechanism. The vulnerability stems from initialization logic in two distinct startup code paths that fail to load and activate managed (MDM-delivered) policies and user-defined rules at boot time. Instead, only a single compile-time baseline rule is enforced until a user manually interacts with the policy GUI, which triggers a policy mutation event over XPC (inter-process communication). This is rooted in CWE-269 (Improper Control of Resource Identifiers), indicating the system fails to correctly enforce its own intended access control mechanisms. The affected product is identified by CPE cpe:2.3:a:craigjbass:clearancekit:*:*:*:*:*:*:*:* across all versions prior to 4.2.14.
RemediationAI
Vendor-released patch: ClearanceKit 4.2.14. Update to version 4.2.14 or later, which fixes the two startup defects and ensures managed and user-defined policies are enforced immediately at boot time without requiring GUI interaction. The fixes are tracked in commits 56d617b778c571e3c29b803636d9807940992daa and ddfdacb2633681bbd9c2f41dbd536ea039386628 in the upstream repository at https://github.com/craigjbass/clearancekit. For systems unable to update immediately, minimize the startup window by logging in and opening the ClearanceKit GUI immediately after boot to trigger policy loading; however, this is a workaround and not a substitute for patching. MDM administrators should prioritize updating ClearanceKit across managed devices to restore intended file-access policy enforcement from boot time.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17484