CVE-2026-33631
Published: 26 March 2026
Summary
CVE-2026-33631 is a high-severity Missing Authorization (CWE-862) vulnerability in Craigjbass Clearancekit. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires a complete reference monitor mechanism that enforces access control policies on all file system operation event types, directly addressing the bypass via unmonitored events.
Mandates enforcement of approved authorizations for file system resource access, ensuring all relevant file operation events like AUTH_RENAME and AUTH_UNLINK are intercepted and evaluated against per-process policies.
Enforces separation and policy requirements using software mechanisms such as Endpoint Security extensions, requiring subscriptions to all file operation event types for comprehensive FAA policy evaluation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incomplete ES event coverage in ClearanceKit directly allows local low-privileged processes to bypass FAA policy enforcement (CWE-862), enabling unauthorized file access/modification (privilege escalation via T1068) and impairing the effectiveness of the security tool (T1562.001).
NVD Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events. Seven additional file operation event…
more
types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH_RENAME and AUTH_UNLINK additionally preserve XProtect change detection: events on the XProtect path are allowed and trigger the existing onXProtectChanged callback rather than being evaluated against user policy. All versions on the 4.2 branch contain the fix. No known workarounds are available.
Deeper analysisAI
CVE-2026-33631 is a vulnerability in ClearanceKit, an macOS tool that intercepts file-system access events to enforce per-process access policies via its opfilter Endpoint Security system extension. Versions on the 4.1 branch and earlier exclusively intercepted ES_EVENT_TYPE_AUTH_OPEN events for File Access Authorization (FAA) policy enforcement, leaving seven additional file operation event types unmonitored. This flaw, classified as CWE-862 (Missing Authorization), allows locally running processes to bypass configured FAA policies without triggering denials, earning a CVSS score of 8.7 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
A local attacker with low privileges (PR:L) can exploit the vulnerability by issuing file operations through the unmonitored event types from any locally running process. Successful exploitation bypasses FAA restrictions, enabling unauthorized file access and modifications with high confidentiality and integrity impacts, low availability impact, and high scope elevation, without requiring user interaction or complex setup.
The GitHub security advisory (GHSA-25f8-8cj2-m887) and fixing commit a3d1733 detail the patch, which adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. For AUTH_RENAME and AUTH_UNLINK events on the XProtect path, allowances preserve change detection via the onXProtectChanged callback instead of user policy evaluation. All versions on the 4.2 branch incorporate the fix, with no known workarounds available.
Details
- CWE(s)