CVE-2026-40599

EUVD-2026-24209
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
craigjbassclearancekit
𝑥
< 5.0.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x
https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x