Cyber Resilience

CVE-2026-40599

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 3.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40599 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Craigjbass Clearancekit. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Masquerading (T1036); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

ClearanceKit, a macOS tool that intercepts file-system access events and enforces per-process access policies, contains a vulnerability in versions prior to 5.0.5 designated as CVE-2026-40599. The flaw stems from ClearanceKit incorrectly classifying a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This misclassification enables malicious software to impersonate a whitelisted Apple process, bypassing global access restrictions and reaching protected files. The issue is rated 7.1 on the CVSS 3.1 scale (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-863 (Incorrect Authorization).

A local attacker with low privileges can exploit this vulnerability by crafting a malicious process that mimics an Apple binary through the specified signing attributes. Upon execution, the process gains unauthorized access to all files protected by ClearanceKit's policies, allowing high-impact confidentiality and integrity violations such as data exfiltration or modification without affecting availability.

The vulnerability is addressed in ClearanceKit version 5.0.5, which corrects the Team ID and Signing ID validation logic. Additional details on the patch and mitigation steps are available in the security advisory at https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x. Security practitioners should update to 5.0.5 or later and review process signing in environments using ClearanceKit.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious…

more

software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1036 Masquerading Stealth
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
T1548 Abuse Elevation Control Mechanism Privilege Escalation
Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions.
Why these techniques?

The vulnerability enables malicious software to impersonate a whitelisted Apple process through misclassification of signing attributes (empty Team ID, non-empty Signing ID), directly facilitating T1036: Masquerading. It also allows bypassing per-process access policies and global restrictions to reach protected files, mapping to T1548: Abuse Elevation Control Mechanism for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-44305Same product: Apple Macos
CVE-2025-24233Same product: Apple Macos
CVE-2026-28951Same product: Apple Macos
CVE-2024-54537Same product: Apple Macos
CVE-2024-54530Same product: Apple Macos
CVE-2024-40771Same product: Apple Macos
CVE-2026-21274Same product: Apple Macos
CVE-2026-28924Same product: Apple Macos
CVE-2025-24195Same product: Apple Macos
CVE-2026-28925Same product: Apple Macos

Affected Assets

craigjbass
clearancekit
≤ 5.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like the ClearanceKit process classification bug, directly mitigated by patching to version 5.0.5.

prevent

Mandates enforcement of approved authorizations for file-system access based on accurate process identification, preventing impersonation via misclassified signing attributes.

prevent

Enforces software integrity checks, including proper validation of code signing attributes like Team ID, to block execution of impersonating processes.

References