Cyber Resilience

CVE-2026-33631

High

Published: 26 March 2026

Published
26 March 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0010 1.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33631 is a high-severity Missing Authorization (CWE-862) vulnerability in Craigjbass Clearancekit. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-33631 is a vulnerability in ClearanceKit, an macOS tool that intercepts file-system access events to enforce per-process access policies via its opfilter Endpoint Security system extension. Versions on the 4.1 branch and earlier exclusively intercepted ES_EVENT_TYPE_AUTH_OPEN events for File Access Authorization (FAA) policy enforcement, leaving seven additional file operation event types unmonitored. This flaw, classified as CWE-862 (Missing Authorization), allows locally running processes to bypass configured FAA policies without triggering denials, earning a CVSS score of 8.7 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).

A local attacker with low privileges (PR:L) can exploit the vulnerability by issuing file operations through the unmonitored event types from any locally running process. Successful exploitation bypasses FAA restrictions, enabling unauthorized file access and modifications with high confidentiality and integrity impacts, low availability impact, and high scope elevation, without requiring user interaction or complex setup.

The GitHub security advisory (GHSA-25f8-8cj2-m887) and fixing commit a3d1733 detail the patch, which adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. For AUTH_RENAME and AUTH_UNLINK events on the XProtect path, allowances preserve change detection via the onXProtectChanged callback instead of user policy evaluation. All versions on the 4.2 branch incorporate the fix, with no known workarounds available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events. Seven additional file operation event…

more

types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH_RENAME and AUTH_UNLINK additionally preserve XProtect change detection: events on the XProtect path are allowed and trigger the existing onXProtectChanged callback rather than being evaluated against user policy. All versions on the 4.2 branch contain the fix. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Incomplete ES event coverage in ClearanceKit directly allows local low-privileged processes to bypass FAA policy enforcement (CWE-862), enabling unauthorized file access/modification (privilege escalation via T1068) and impairing the effectiveness of the security tool (T1562.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33632Same product: Craigjbass Clearancekit
CVE-2026-40599Same product: Craigjbass Clearancekit
CVE-2026-32658Shared CWE-862
CVE-2026-6506Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2025-21396Shared CWE-862
CVE-2021-47701Shared CWE-862
CVE-2026-40349Shared CWE-862
CVE-2024-57726Shared CWE-862
CVE-2025-7665Shared CWE-862

Affected Assets

craigjbass
clearancekit
≤ 4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires a complete reference monitor mechanism that enforces access control policies on all file system operation event types, directly addressing the bypass via unmonitored events.

prevent

Mandates enforcement of approved authorizations for file system resource access, ensuring all relevant file operation events like AUTH_RENAME and AUTH_UNLINK are intercepted and evaluated against per-process policies.

prevent

Enforces separation and policy requirements using software mechanisms such as Endpoint Security extensions, requiring subscriptions to all file operation event types for comprehensive FAA policy evaluation.

References