Executive Summary

CVE-2026-33631 is a high-severity vulnerability in ClearanceKit's opfilter system extension versions up to 4.1-*. The extension enforces file access policies by intercepting only file open events (ES_EVENT_TYPE_AUTH_OPEN), but it neglects seven other file operation event types.

Because these seven additional file operations were not intercepted, any local process with user-level privileges could bypass the configured File Access Authorization (FAA) policies by performing operations such as renaming, unlinking, linking, creating, truncating, copying files, or reading directory contents without triggering denials.

This means unauthorized processes could access, modify, or exfiltrate protected files and data without being blocked by the policy enforcement.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows local processes to bypass configured file access policies, leading to unauthorized exfiltration of protected data such as Safari cookies, Signal message databases, and Discord local state, as well as destruction of protected files and metadata leakage.

Such unauthorized access and data leakage can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and integrity of sensitive personal and health information.

Because the vulnerability impacts confidentiality and integrity with high severity, organizations using affected versions of ClearanceKit may face compliance risks if the vulnerability is exploited, potentially leading to data breaches and regulatory penalties.

Mitigation requires upgrading to version 4.2 or later, which patches the issue by intercepting all relevant file operation events and enforcing policies comprehensively.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized local processes to bypass file access policies, leading to several serious impacts:

• Unauthorized exfiltration of protected data such as Safari cookies, Signal message databases, and Discord local state.
• Destruction or unauthorized modification of protected files.
• Leakage of metadata through directory enumeration.

Both managed (MDM-deployed) and user-defined FAA rules are affected, and global allowlists or process ancestry checks do not apply to the unmonitored event types, increasing the risk.

The vulnerability has a high CVSS score of 8.7, reflecting significant confidentiality and integrity impacts with limited availability impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves ClearanceKit's opfilter system extension on macOS, which previously intercepted only ES_EVENT_TYPE_AUTH_OPEN events but missed seven other file operation event types. Detection involves monitoring file operation events such as rename, unlink, link, create, truncate, copyfile, and readdir that ClearanceKit failed to intercept before version 4.2.

Since ClearanceKit logs all intercepted operations for auditing after the patch, reviewing these logs can help detect suspicious file operations that might indicate exploitation attempts.

No specific commands are provided in the available resources to detect this vulnerability directly on your system or network.

Useful 0 Not Useful 0

Mitigation Strategies

The only effective mitigation is to upgrade ClearanceKit to version 4.2-da58a49 or later, which includes the patch that adds interception and policy enforcement for all relevant file operation event types.

After upgrading, you must reactivate the system extension via Setup → Update to ensure the new event subscriptions and policy evaluations are active.

No known workarounds exist for this vulnerability, so timely upgrading and reactivation are critical to prevent unauthorized file access or modification.

Useful 0 Not Useful 0