Skip to main content

Apple CVE-2026-40191

| EUVDEUVD-2026-21595 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-10 GitHub_M
6.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.0.4-beta-1f46165
EUVD ID Assigned
Apr 10, 2026 - 21:00 euvd
EUVD-2026-21595
Analysis Generated
Apr 10, 2026 - 21:00 vuln.today
CVE Published
Apr 10, 2026 - 20:19 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165.

AnalysisAI

ClearanceKit for macOS prior to version 5.0.4-beta-1f46165 fails to validate destination paths in dual-path file operations (rename, link, copyfile, exchangedata, clone), allowing authenticated local processes to bypass file-access protection and place or replace files in protected directories. The vulnerability affects all versions before 5.0.4-beta-1f46165 and has been patched; no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

ClearanceKit is a macOS Endpoint Security framework application that enforces per-process file-system access policies through an ES event handler. The vulnerability resides in CWE-863 (Incorrect Authorization) where the event handler only validated the source path of dual-path operations against File Access Authorization (FAA) rules and App Jail policies while completely ignoring the destination path. Dual-path operations (rename, link, copyfile, exchangedata, clone) are file-system operations that involve both a source and destination; by only checking the source, an attacker can use these operations to circumvent protections on destination directories. This is a logic flaw in the authorization enforcement mechanism, not a memory safety or protocol issue. The affected product is uniquely identified by CPE 2.3:a:craigjbass:clearancekit.

RemediationAI

Upgrade ClearanceKit to version 5.0.4-1f46165 or later, which includes the patched Endpoint Security event handler that now validates both source and destination paths for dual-path file operations. Patched release is available at https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165. If immediate patching is not possible, review and restrict local user privileges on systems where file-system access protection is critical, particularly for users or processes that should not be able to manipulate protected directories via file operations.

Share

CVE-2026-40191 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy