CVE-2026-34218 MEDIUM

CVE-2026-34218: ClearanceKit: Managed and user-defined policy rules not enforced between opfilter start and first policy modification

Vendor Craigjbass
Product clearancekit
Weakness CWE-269
Published March 31, 2026
Last update April 2, 2026

CVSS base score

6.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single compile-time baseline rule was enforced by opfilter. All managed (MDM-delivered) and user-defined file-access rules were not applied until the user interacted with policies through the GUI, triggering a policy mutation over XPC. This issue has been patched in version 4.2.14.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
April 2, 2026 Record updated