Auth bypass in Craigjbass Clearancekit

CVE-2026-40599

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. Th…

Vulnerability class: Broken Access Control

EPSS: 0.000 (3.1th percentile) — read the EPSS interpretation.

Affected products

Craigjbass Clearancekit — versions < 5.0.5

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x (x_refsource_CONFIRM)