{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40191", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T20:59:17.620Z", "datePublished": "2026-04-10T20:19:35.909Z", "dateUpdated": "2026-04-15T15:12:11.855Z"}, "containers": {"cna": {"title": "ClearanceKit has a policy bypass via dual-path Endpoint Security events checking only source path", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-92f3-38m7-579h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-92f3-38m7-579h"}, {"name": "https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165", "tags": ["x_refsource_MISC"], "url": "https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165"}], "affected": [{"vendor": "craigjbass", "product": "clearancekit", "versions": [{"version": "< 5.0.4-beta-1f46165", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T20:19:35.909Z"}, "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165."}], "source": {"advisory": "GHSA-92f3-38m7-579h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:10:53.252092Z", "id": "CVE-2026-40191", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:12:11.855Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T15:10:53.252092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:12:00.493Z"}}], "cna": {"title": "ClearanceKit has a policy bypass via dual-path Endpoint Security events checking only source path", "source": {"advisory": "GHSA-92f3-38m7-579h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craigjbass", "product": "clearancekit", "versions": [{"status": "affected", "version": "< 5.0.4-beta-1f46165"}]}], "references": [{"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-92f3-38m7-579h", "name": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-92f3-38m7-579h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165", "name": "https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T20:19:35.909Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40191", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:12:11.855Z", "dateReserved": "2026-04-09T20:59:17.620Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T20:19:35.909Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165."}], "id": "CVE-2026-40191", "lastModified": "2026-04-16T14:45:19.723", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T21:16:27.440", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165"}, {"source": "security-advisories@github.com", "url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-92f3-38m7-579h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.4-beta-1f46165)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "clearancekit", "source": "cna", "vendor": "craigjbass"}, "product": "clearancekit", "vendor": "craigjbass"}], "analysis": {"en": {"generated_at": "2026-04-10T21:21:44.001204+00:00", "value": {"mitigation_remediation": ["Upgrade ClearanceKit to version 5.0.4\u2011beta\u20111f46165 or later."], "summary": {"action": "Apply patch", "impact": "Unauthorized file operation / policy bypass"}, "threat_synthesis": {"affected_systems": "The affected product is ClearanceKit, developed by craigjbass for macOS. All releases prior to 5.0.4\u2011beta\u20111f46165 are vulnerable. The patch introduced in 5.0.4\u2011beta\u20111f46165 corrects the policy enforcement logic to evaluate both source and destination paths.", "description_and_impact": "The vulnerability resides in ClearanceKit\u2019s handling of dual\u2011path Endpoint Security events. The handler checks only the source path of file operations such as rename, link, copyfile, exchangedata, and clone, while ignoring the destination path. This oversight allows any local process to place or overwrite files in protected directories by leveraging those operations, effectively bypassing the intended per\u2011process access controls. The consequence is that a compromised or malicious local process can inject files into sandboxed locations, potentially enabling further exploitation or persistence.", "risk_and_exploitability": "The CVSS score is 6.8, indicating moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no public exploit evidence yet. A local attacker can exploit the flaw by executing any of the supported file operations against protected directories; the attack vector is inferred to be local because it requires a process running on the same system. Successful exploitation permits the attacker to alter critical files or introduce malicious artifacts, potentially leading to privilege escalation or persistence depending on the protected directories involved."}}}}, "created": "2026-04-13T12:42:35.425416+00:00", "updated": "2026-04-13T12:57:22.509610+00:00", "vendors": ["craigjbass", "craigjbass$PRODUCT$clearancekit"]}