CVE-2026-40599
Published: 21 April 2026
Summary
CVE-2026-40599 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Craigjbass Clearancekit. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Masquerading (T1036); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the ClearanceKit process classification bug, directly mitigated by patching to version 5.0.5.
Mandates enforcement of approved authorizations for file-system access based on accurate process identification, preventing impersonation via misclassified signing attributes.
Enforces software integrity checks, including proper validation of code signing attributes like Team ID, to block execution of impersonating processes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables malicious software to impersonate a whitelisted Apple process through misclassification of signing attributes (empty Team ID, non-empty Signing ID), directly facilitating T1036: Masquerading. It also allows bypassing per-process access policies and global restrictions to reach protected files, mapping to T1548: Abuse Elevation Control Mechanism for unauthorized access.
NVD Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious…
more
software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.
Deeper analysisAI
ClearanceKit, a macOS tool that intercepts file-system access events and enforces per-process access policies, contains a vulnerability in versions prior to 5.0.5 designated as CVE-2026-40599. The flaw stems from ClearanceKit incorrectly classifying a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This misclassification enables malicious software to impersonate a whitelisted Apple process, bypassing global access restrictions and reaching protected files. The issue is rated 7.1 on the CVSS 3.1 scale (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-863 (Incorrect Authorization).
A local attacker with low privileges can exploit this vulnerability by crafting a malicious process that mimics an Apple binary through the specified signing attributes. Upon execution, the process gains unauthorized access to all files protected by ClearanceKit's policies, allowing high-impact confidentiality and integrity violations such as data exfiltration or modification without affecting availability.
The vulnerability is addressed in ClearanceKit version 5.0.5, which corrects the Team ID and Signing ID validation logic. Additional details on the patch and mitigation steps are available in the security advisory at https://github.com/craigjbass/clearancekit/security/advisories/GHSA-w253-42qp-5f2x. Security practitioners should update to 5.0.5 or later and review process signing in environments using ClearanceKit.
Details
- CWE(s)