CVE-2026-40599 HIGH

CVE-2026-40599: ClearanceKit: Ad-hoc signed binaries can spoof Apple process identities in the global allowlist

Vendor Craigjbass
Product clearancekit
Weakness CWE-863 · Incorrect authorization
Published April 21, 2026
Last update April 21, 2026

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple process in the global allowlist, and access all protected files. This vulnerability is fixed in 5.0.5.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated