Platform
macos
Component
clearancekit
Fixed in
5.0.6
ClearanceKit, a macOS utility designed to intercept and enforce file-system access policies, contains a vulnerability allowing malicious software to bypass these protections. Prior to version 5.0.5, ClearanceKit incorrectly identifies processes lacking a Team ID but possessing a Signing ID as legitimate Apple platform binaries. This misclassification enables attackers to gain unauthorized access to files that should be protected.
The impact of this vulnerability is significant. An attacker can leverage this flaw to impersonate an Apple process, effectively adding their malicious software to ClearanceKit's global allowlist. This allows the attacker to access any files protected by ClearanceKit, potentially including sensitive user data, system configuration files, or even kernel extensions. The blast radius extends to any application or process relying on ClearanceKit for access control, making this a widespread concern for macOS users. This bypass effectively negates the security benefits of ClearanceKit, allowing attackers to operate with elevated privileges.
This vulnerability was publicly disclosed on 2026-04-21. As of this date, there is no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on specific process characteristics may limit its exploitability, but the potential impact warrants careful attention.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation is to upgrade ClearanceKit to version 5.0.5 or later, which addresses the flawed logic. If immediate upgrading is not feasible, consider implementing stricter file access controls at the system level using macOS's built-in security features. While a direct workaround is limited, reviewing and tightening application permissions can reduce the potential impact. Monitor system logs for unusual file access patterns, particularly those originating from processes without a Team ID. After upgrading, confirm the fix by attempting to access protected files with a known malicious process and verifying that access is denied.
Update ClearanceKit to version 5.0.5 or higher to prevent malicious software from impersonating an Apple process and accessing protected files. The update corrects how ClearanceKit handles processes with an empty Team ID and a non-empty Signing ID, ensuring that only legitimate Apple platform binaries are recognized.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40599 is a vulnerability in ClearanceKit versions before 5.0.5 that allows malicious software to impersonate Apple processes and bypass file access controls on macOS.
You are affected if you are using ClearanceKit version 0.0.0 through 5.0.4 on macOS. Upgrade to version 5.0.5 or later to resolve the issue.
The fix is to upgrade ClearanceKit to version 5.0.5 or later. Download the updated version from the official ClearanceKit website.
As of the public disclosure date, there is no evidence of active exploitation of CVE-2026-40599 in the wild.
Refer to the official ClearanceKit release notes and website for the advisory related to CVE-2026-40599.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.