CVE-2026-40599
ClearanceKit: Ad-hoc signed binaries can spoof Apple process identities in the global allowlist
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.
| CWE | CWE-863 |
| Vendor | craigjbass |
| Product | clearancekit |
| Published | Apr 21, 2026 |
| Last Updated | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for craigjbass clearancekit
Be the first to know when new unknown vulnerabilities affecting craigjbass clearancekit are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craigjbass / clearancekit
< 5.0.5