CVE-2026-33632
Published: 26 March 2026
Summary
CVE-2026-33632 is a high-severity Missing Authorization (CWE-862) vulnerability in Craigjbass Clearancekit. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1562.001); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates a tamper-resistant reference monitor that is always invoked for all file system operations, directly preventing bypass of ClearanceKit's policy enforcement via unmonitored ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE events.
Requires enforcement of approved access authorizations for file system resources, countering the vulnerability's failure to intercept and evaluate specific file operation events against per-process policies.
Directly requires identification, reporting, and correction of the flaw in ClearanceKit prior to v4.2.4, including patching via commit 6181c4a to subscribe to and route the missing event types through the policy evaluator.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a bypass of ClearanceKit's Endpoint Security policy enforcement for specific FS events (exchangedata/clone), directly impairing the function of a defensive tool without requiring its disablement or modification.
NVD Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types — ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE — were not intercepted by ClearanceKit's opfilter system extension, allowing local processes to bypass file…
more
access policies. Commit 6181c4a patches the vulnerability by subscribing to both event types and routing them through the existing policy evaluator. Users must upgrade to v4.2.4 or later and reactivate the system extension.
Deeper analysisAI
ClearanceKit, a macOS tool that intercepts file-system access events and enforces per-process access policies via its opfilter system extension, is affected by CVE-2026-33632 in versions prior to 4.2.4. The vulnerability stems from the failure to intercept two specific Endpoint Security Framework event types—ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE—allowing local processes to bypass file access policies entirely. Published on 2026-03-26, this issue is mapped to CWE-862 (Missing Authorization) and assigned a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Local attackers with low privileges (PR:L) can exploit the vulnerability with low complexity and no user interaction by invoking file operations through the unmonitored exchangedata or clone events. This enables evasion of ClearanceKit's policy enforcement, resulting in high-impact unauthorized confidentiality breaches (e.g., reading protected files), integrity violations (e.g., modifying restricted data), and availability disruptions (e.g., file system interference).
Mitigation requires upgrading to ClearanceKit version 4.2.4 or later, where commit 6181c4a addresses the issue by subscribing to both event types and routing them through the policy evaluator; users must then reactivate the system extension. Additional details are available in the GitHub security advisory at GHSA-wpxj-vhfp-hhvm and the patch commit at https://github.com/craigjbass/clearancekit/commit/6181c4a22eccbeca973c77f4bd023eb795c13786.
Details
- CWE(s)