EUVD-2026-16371
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
3Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events. Seven additional file operation event types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH_RENAME and AUTH_UNLINK additionally preserve XProtect change detection: events on the XProtect path are allowed and trigger the existing onXProtectChanged callback rather than being evaluated against user policy. All versions on the 4.2 branch contain the fix. No known workarounds are available.
Analysis
ClearanceKit 4.1 and earlier for macOS allows local authenticated users to completely bypass configured file access policies via seven unmonitored file operation event types. The opfilter Endpoint Security extension only intercepted ES_EVENT_TYPE_AUTH_OPEN events, enabling processes to perform rename, unlink, and five other file operations without policy enforcement or denial logging. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all macOS systems running ClearanceKit 4.1 or earlier and assess exposure based on local user population and file access policies in use. Within 7 days: evaluate upgrade feasibility to ClearanceKit 4.2 or later (which includes the fix from commit a3d1733); if immediate upgrade is not possible, implement the compensating controls listed below and document the exception. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today