Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165.
AnalysisAI
ClearanceKit for macOS prior to version 5.0.4-beta-1f46165 fails to validate destination paths in dual-path file operations (rename, link, copyfile, exchangedata, clone), allowing authenticated local processes to bypass file-access protection and place or replace files in protected directories. The vulnerability affects all versions before 5.0.4-beta-1f46165 and has been patched; no public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
ClearanceKit is a macOS Endpoint Security framework application that enforces per-process file-system access policies through an ES event handler. The vulnerability resides in CWE-863 (Incorrect Authorization) where the event handler only validated the source path of dual-path operations against File Access Authorization (FAA) rules and App Jail policies while completely ignoring the destination path. Dual-path operations (rename, link, copyfile, exchangedata, clone) are file-system operations that involve both a source and destination; by only checking the source, an attacker can use these operations to circumvent protections on destination directories. This is a logic flaw in the authorization enforcement mechanism, not a memory safety or protocol issue. The affected product is uniquely identified by CPE 2.3:a:craigjbass:clearancekit.
RemediationAI
Upgrade ClearanceKit to version 5.0.4-1f46165 or later, which includes the patched Endpoint Security event handler that now validates both source and destination paths for dual-path file operations. Patched release is available at https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165. If immediate patching is not possible, review and restrict local user privileges on systems where file-system access protection is critical, particularly for users or processes that should not be able to manipulate protected directories via file operations.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21595