Skip to main content

ClearanceKit CVE-2026-40599

| EUVDEUVD-2026-24209 HIGH
Incorrect Authorization (CWE-863)
2026-04-21 security-advisories@github.com
8.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 20:50 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 19:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 18:48 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 18:22 euvd
EUVD-2026-24209
Analysis Generated
Apr 21, 2026 - 18:22 vuln.today
CVE Published
Apr 21, 2026 - 18:16 nvd
HIGH 8.4

DescriptionGitHub Advisory

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.

AnalysisAI

ClearanceKit 5.0.4 and earlier allows local attackers with low-privilege accounts to bypass file-system access controls and read/modify all protected files by spoofing Apple platform binary status. The vulnerability stems from incorrect validation of code signing identifiers - specifically, treating processes with empty Team IDs but non-empty Signing IDs as trusted Apple binaries. Malicious software can exploit this logic flaw to impersonate processes in the global allowlist and gain unauthorized access to sensitive data. CVSS 8.4 reflects high confidentiality and integrity impact in local attack scenarios. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though the GitHub security advisory provides detailed vulnerability disclosure.

Technical ContextAI

ClearanceKit is a macOS file-system access enforcement framework that intercepts file operations and applies per-process access policies based on code signing attributes. The vulnerability (CWE-863: Incorrect Authorization) occurs in the Team ID validation logic. On macOS, platform binaries signed by Apple possess both a Team ID (typically Apple's developer team identifier) and a Signing ID (bundle/executable identifier). ClearanceKit's flawed implementation treats any process with an empty Team ID and a present Signing ID as an Apple platform binary, bypassing normal access restrictions. Attackers can craft executables that meet these criteria - trivial with unsigned or ad-hoc signed binaries that omit Team ID but include arbitrary Signing IDs - to masquerade as trusted Apple processes. This authentication bypass grants the malicious process the same file-access privileges as legitimate Apple system components in the allowlist, subverting the entire access control framework.

RemediationAI

Immediately upgrade ClearanceKit to version 5.0.5 or later, which corrects the Team ID validation logic to properly distinguish between Apple platform binaries and attacker-controlled processes. The fix is available through the project's GitHub repository (https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x). For environments unable to upgrade immediately, implement compensating controls: (1) restrict local user account creation and enforce principle of least privilege to limit attacker foothold opportunities, (2) deploy endpoint detection and response (EDR) tools configured to alert on unsigned or ad-hoc signed processes accessing sensitive file paths protected by ClearanceKit, (3) enable macOS Gatekeeper and require notarized applications to raise the bar for executing malicious binaries, though note that notarization alone does not prevent this specific bypass. These workarounds reduce attack surface but do not eliminate the vulnerability - version 5.0.5 upgrade remains the only complete remediation. Test the upgrade in staging environments first, as changes to code signing validation logic may affect legitimate software with non-standard signing configurations.

Share

CVE-2026-40599 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy