CVE-2026-33631: CWE-862: Missing Authorization in craigjbass clearancekit
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events. Seven additional file operation event types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH_RENAME and AUTH_UNLINK additionally preserve XProtect change detection: events on the XProtect path are allowed and trigger the existing onXProtectChanged callback rather than being evaluated against user policy. All versions on the 4.2 branch contain the fix. No known workarounds are available.
AI Analysis
Technical Summary
ClearanceKit on macOS enforces per-process file access policies via its Endpoint Security system extension. Versions before 4.2 only intercepted ES_EVENT_TYPE_AUTH_OPEN events to enforce policy, neglecting seven other file operation event types. This missing authorization check (CWE-862) allowed local processes to bypass file access restrictions. The fix in version 4.2 adds subscriptions for all seven missing event types, routing them through the existing policy evaluator, and maintains XProtect change detection for rename and unlink events.
Potential Impact
An attacker with local low-privilege access can bypass configured file access policies, potentially leading to unauthorized file reads, writes, renames, or deletions. The vulnerability affects confidentiality, integrity, and availability of files protected by ClearanceKit. The CVSS score of 8.7 reflects high impact with local attack vector, low complexity, and no user interaction required.
Mitigation Recommendations
Upgrade ClearanceKit to version 4.2 or later, which contains the official fix addressing this missing authorization enforcement. No workarounds are currently available. Until patched, systems remain vulnerable to local policy bypass.
CVE-2026-33631: CWE-862: Missing Authorization in craigjbass clearancekit
Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events. Seven additional file operation event types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH_RENAME and AUTH_UNLINK additionally preserve XProtect change detection: events on the XProtect path are allowed and trigger the existing onXProtectChanged callback rather than being evaluated against user policy. All versions on the 4.2 branch contain the fix. No known workarounds are available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ClearanceKit on macOS enforces per-process file access policies via its Endpoint Security system extension. Versions before 4.2 only intercepted ES_EVENT_TYPE_AUTH_OPEN events to enforce policy, neglecting seven other file operation event types. This missing authorization check (CWE-862) allowed local processes to bypass file access restrictions. The fix in version 4.2 adds subscriptions for all seven missing event types, routing them through the existing policy evaluator, and maintains XProtect change detection for rename and unlink events.
Potential Impact
An attacker with local low-privilege access can bypass configured file access policies, potentially leading to unauthorized file reads, writes, renames, or deletions. The vulnerability affects confidentiality, integrity, and availability of files protected by ClearanceKit. The CVSS score of 8.7 reflects high impact with local attack vector, low complexity, and no user interaction required.
Mitigation Recommendations
Upgrade ClearanceKit to version 4.2 or later, which contains the official fix addressing this missing authorization enforcement. No workarounds are currently available. Until patched, systems remain vulnerable to local policy bypass.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T14:24:11.618Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c58caf3c064ed76fc66ffc
Added to database: 3/26/2026, 7:44:47 PM
Last enriched: 4/3/2026, 1:07:24 PM
Last updated: 5/10/2026, 2:35:09 PM
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.