CVE-2026-33631
Received Received - Intake
File Access Bypass in ClearanceKit macOS Endpoint Security

Publication date: 2026-03-26

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events. Seven additional file operation event types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH_RENAME and AUTH_UNLINK additionally preserve XProtect change detection: events on the XProtect path are allowed and trigger the existing onXProtectChanged callback rather than being evaluated against user policy. All versions on the 4.2 branch contain the fix. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-20
Generated
2026-05-07
AI Q&A
2026-03-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33631
EUVD
EUVD-2026-16371
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
craigjbass clearancekit to 4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows local processes to bypass configured file access policies, leading to unauthorized exfiltration of protected data such as Safari cookies, Signal message databases, and Discord local state, as well as destruction of protected files and metadata leakage.

Such unauthorized access and data leakage can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and integrity of sensitive personal and health information.

Because the vulnerability impacts confidentiality and integrity with high severity, organizations using affected versions of ClearanceKit may face compliance risks if the vulnerability is exploited, potentially leading to data breaches and regulatory penalties.

Mitigation requires upgrading to version 4.2 or later, which patches the issue by intercepting all relevant file operation events and enforcing policies comprehensively.


Can you explain this vulnerability to me?

CVE-2026-33631 is a high-severity vulnerability in ClearanceKit's opfilter system extension versions up to 4.1-*. The extension enforces file access policies by intercepting only file open events (ES_EVENT_TYPE_AUTH_OPEN), but it neglects seven other file operation event types.

Because these seven additional file operations were not intercepted, any local process with user-level privileges could bypass the configured File Access Authorization (FAA) policies by performing operations such as renaming, unlinking, linking, creating, truncating, copying files, or reading directory contents without triggering denials.

This means unauthorized processes could access, modify, or exfiltrate protected files and data without being blocked by the policy enforcement.


How can this vulnerability impact me? :

This vulnerability allows unauthorized local processes to bypass file access policies, leading to several serious impacts:

  • Unauthorized exfiltration of protected data such as Safari cookies, Signal message databases, and Discord local state.
  • Destruction or unauthorized modification of protected files.
  • Leakage of metadata through directory enumeration.

Both managed (MDM-deployed) and user-defined FAA rules are affected, and global allowlists or process ancestry checks do not apply to the unmonitored event types, increasing the risk.

The vulnerability has a high CVSS score of 8.7, reflecting significant confidentiality and integrity impacts with limited availability impact.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves ClearanceKit's opfilter system extension on macOS, which previously intercepted only ES_EVENT_TYPE_AUTH_OPEN events but missed seven other file operation event types. Detection involves monitoring file operation events such as rename, unlink, link, create, truncate, copyfile, and readdir that ClearanceKit failed to intercept before version 4.2.

Since ClearanceKit logs all intercepted operations for auditing after the patch, reviewing these logs can help detect suspicious file operations that might indicate exploitation attempts.

No specific commands are provided in the available resources to detect this vulnerability directly on your system or network.


What immediate steps should I take to mitigate this vulnerability?

The only effective mitigation is to upgrade ClearanceKit to version 4.2-da58a49 or later, which includes the patch that adds interception and policy enforcement for all relevant file operation event types.

After upgrading, you must reactivate the system extension via Setup β†’ Update to ensure the new event subscriptions and policy evaluations are active.

No known workarounds exist for this vulnerability, so timely upgrading and reactivation are critical to prevent unauthorized file access or modification.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart