Cyber Resilience

CVE-2026-33632

High

Published: 26 March 2026

Published
26 March 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 1.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33632 is a high-severity Missing Authorization (CWE-862) vulnerability in Craigjbass Clearancekit. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

ClearanceKit, a macOS tool that intercepts file-system access events and enforces per-process access policies via its opfilter system extension, is affected by CVE-2026-33632 in versions prior to 4.2.4. The vulnerability stems from the failure to intercept two specific Endpoint Security Framework event types—ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE—allowing local processes to bypass file access policies entirely. Published on 2026-03-26, this issue is mapped to CWE-862 (Missing Authorization) and assigned a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Local attackers with low privileges (PR:L) can exploit the vulnerability with low complexity and no user interaction by invoking file operations through the unmonitored exchangedata or clone events. This enables evasion of ClearanceKit's policy enforcement, resulting in high-impact unauthorized confidentiality breaches (e.g., reading protected files), integrity violations (e.g., modifying restricted data), and availability disruptions (e.g., file system interference).

Mitigation requires upgrading to ClearanceKit version 4.2.4 or later, where commit 6181c4a addresses the issue by subscribing to both event types and routing them through the policy evaluator; users must then reactivate the system extension. Additional details are available in the GitHub security advisory at GHSA-wpxj-vhfp-hhvm and the patch commit at https://github.com/craigjbass/clearancekit/commit/6181c4a22eccbeca973c77f4bd023eb795c13786.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types — ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE — were not intercepted by ClearanceKit's opfilter system extension, allowing local processes to bypass file…

more

access policies. Commit 6181c4a patches the vulnerability by subscribing to both event types and routing them through the existing policy evaluator. Users must upgrade to v4.2.4 or later and reactivate the system extension.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

The CVE describes a bypass of ClearanceKit's Endpoint Security policy enforcement for specific FS events (exchangedata/clone), directly impairing the function of a defensive tool without requiring its disablement or modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33631Same product: Craigjbass Clearancekit
CVE-2026-40599Same product: Craigjbass Clearancekit
CVE-2025-30107Shared CWE-862
CVE-2025-26375Shared CWE-862
CVE-2025-0952Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2025-69311Shared CWE-862
CVE-2024-12920Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-12975Shared CWE-862

Affected Assets

craigjbass
clearancekit
≤ 4.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates a tamper-resistant reference monitor that is always invoked for all file system operations, directly preventing bypass of ClearanceKit's policy enforcement via unmonitored ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE events.

prevent

Requires enforcement of approved access authorizations for file system resources, countering the vulnerability's failure to intercept and evaluate specific file operation events against per-process policies.

prevent

Directly requires identification, reporting, and correction of the flaw in ClearanceKit prior to v4.2.4, including patching via commit 6181c4a to subscribe to and route the missing event types through the policy evaluator.

References