File Access Vulnerability in ClearanceKit for macOS by Craig J. Bass
CVE-2026-40191

6.8MEDIUM

Key Information:

Vendor: Craigjbass
Status: Clearancekit
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-40191?

ClearanceKit, an application designed to enforce per-process access policies in macOS, has a vulnerability that allows local processes to bypass file access protections. Prior to version 5.0.4-beta-1f46165, the Endpoint Security event handler only evaluated the source path for dual-path file operations, neglecting the destination path. This oversight permits unauthorized file manipulations in protected directories via actions such as rename, link, copyfile, exchangedata, or clone. Users are advised to upgrade to the latest version to remediate this issue.

Affected Version(s)

clearancekit < 5.0.4-beta-1f46165

References

https://github.com/craigjbass/clearancekit/security/advis...

x_refsource_CONFIRM

https://github.com/craigjbass/clearancekit/releases/tag/v...

x_refsource_MISC

CVSS V4

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40191 Data

JSON

Craigjbass

What is CVE-2026-40191?

Affected Version(s)

References

CVSS V4

Timeline