{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40599", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T14:07:59.641Z", "datePublished": "2026-04-21T17:37:05.064Z", "dateUpdated": "2026-04-21T18:35:04.258Z"}, "containers": {"cna": {"title": "ClearanceKit: Ad-hoc signed binaries can spoof Apple process identities in the global allowlist", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x"}], "affected": [{"vendor": "craigjbass", "product": "clearancekit", "versions": [{"version": "< 5.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:37:05.064Z"}, "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5."}], "source": {"advisory": "GHSA-w253-42qp-5f2x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T18:35:00.486516Z", "id": "CVE-2026-40599", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:35:04.258Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40599", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T18:35:00.486516Z"}}}], "references": [{"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:34:48.837Z"}}], "cna": {"title": "ClearanceKit: Ad-hoc signed binaries can spoof Apple process identities in the global allowlist", "source": {"advisory": "GHSA-w253-42qp-5f2x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craigjbass", "product": "clearancekit", "versions": [{"status": "affected", "version": "< 5.0.5"}]}], "references": [{"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x", "name": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:37:05.064Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40599", "state": "PUBLISHED", "dateUpdated": "2026-04-21T18:35:04.258Z", "dateReserved": "2026-04-14T14:07:59.641Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T17:37:05.064Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craigjbass:clearancekit:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE778DA8-51A8-4F52-B888-A0242BD70CCA", "versionEndExcluding": "5.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5."}], "id": "CVE-2026-40599", "lastModified": "2026-04-24T20:50:42.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T18:16:51.693", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "clearancekit", "source": "cna", "vendor": "craigjbass"}, "product": "clearancekit", "vendor": "craigjbass"}], "analysis": {"en": {"generated_at": "2026-04-22T05:38:59.255522+00:00", "value": {"mitigation_remediation": ["Upgrade ClearanceKit to version 5.0.5 or later, which corrects the Team ID validation bug", "If an upgrade is not immediately feasible, avoid running any locally crafted binaries with an empty Team ID and a non\u2011empty Signing ID on machines using ClearanceKit", "Consider disabling ClearanceKit\u2019s global allowlist feature or performing manual certificate validation for critical processes"], "summary": {"action": "Patch", "impact": "Privilege Escalation and Unauthorized File Access"}, "threat_synthesis": {"affected_systems": "The affected product is ClearanceKit from vendor craigjbass. Versions prior to 5.0.5 contain the vulnerability; all later releases are not affected.", "description_and_impact": "ClearanceKit monitors file\u2011system operations and enforces per\u2011process access rules. The flaw treats any process that has an empty Team ID but a non\u2011empty Signing ID as an Apple system binary. As a result, a malicious application can masquerade as an Apple process in the global allowlist, bypassing all protected\u2011file restrictions and obtaining unrestricted read/write access to system files.", "risk_and_exploitability": "The vulnerability scores a CVSS of 8.4, indicating high severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. Exploitation requires local execution of a binary that meets the malformed Team/Signing ID criteria, allowing the attacker to gain privileged file\u2011system access on macOS systems where ClearanceKit is active."}}}}, "created": "2026-04-22T05:45:09.825706+00:00", "updated": "2026-04-22T11:46:00.436387+00:00", "vendors": ["craigjbass", "craigjbass$PRODUCT$clearancekit"]}