{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33632", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.618Z", "datePublished": "2026-03-26T19:32:49.565Z", "dateUpdated": "2026-03-27T13:58:53.489Z"}, "containers": {"cna": {"title": "ClearanceKit: opfilter policy bypass via exchangedata and clone operations", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-wpxj-vhfp-hhvm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-wpxj-vhfp-hhvm"}, {"name": "https://github.com/craigjbass/clearancekit/commit/6181c4a22eccbeca973c77f4bd023eb795c13786", "tags": ["x_refsource_MISC"], "url": "https://github.com/craigjbass/clearancekit/commit/6181c4a22eccbeca973c77f4bd023eb795c13786"}], "affected": [{"vendor": "craigjbass", "product": "clearancekit", "versions": [{"version": "< 4.2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:32:49.565Z"}, "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types \u2014 ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE \u2014 were not intercepted by ClearanceKit's opfilter system extension, allowing local processes to bypass file access policies. Commit 6181c4a patches the vulnerability by subscribing to both event types and routing them through the existing policy evaluator. Users must upgrade to v4.2.4 or later and reactivate the system extension."}], "source": {"advisory": "GHSA-wpxj-vhfp-hhvm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:45:05.816197Z", "id": "CVE-2026-33632", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:58:53.489Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "ClearanceKit: opfilter policy bypass via exchangedata and clone operations", "source": {"advisory": "GHSA-wpxj-vhfp-hhvm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craigjbass", "product": "clearancekit", "versions": [{"status": "affected", "version": "< 4.2.4"}]}], "references": [{"url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-wpxj-vhfp-hhvm", "name": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-wpxj-vhfp-hhvm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craigjbass/clearancekit/commit/6181c4a22eccbeca973c77f4bd023eb795c13786", "name": "https://github.com/craigjbass/clearancekit/commit/6181c4a22eccbeca973c77f4bd023eb795c13786", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types \u2014 ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE \u2014 were not intercepted by ClearanceKit's opfilter system extension, allowing local processes to bypass file access policies. Commit 6181c4a patches the vulnerability by subscribing to both event types and routing them through the existing policy evaluator. Users must upgrade to v4.2.4 or later and reactivate the system extension."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:32:49.565Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33632", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T13:45:05.816197Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T13:45:08.793Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33632", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:32:49.565Z", "dateReserved": "2026-03-23T14:24:11.618Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:32:49.565Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types \u2014 ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE \u2014 were not intercepted by ClearanceKit's opfilter system extension, allowing local processes to bypass file access policies. Commit 6181c4a patches the vulnerability by subscribing to both event types and routing them through the existing policy evaluator. Users must upgrade to v4.2.4 or later and reactivate the system extension."}], "id": "CVE-2026-33632", "lastModified": "2026-03-26T20:16:16.277", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T20:16:16.277", "references": [{"source": "[email protected]", "url": "https://github.com/craigjbass/clearancekit/commit/6181c4a22eccbeca973c77f4bd023eb795c13786"}, {"source": "[email protected]", "url": "https://github.com/craigjbass/clearancekit/security/advisories/GHSA-wpxj-vhfp-hhvm"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "clearancekit", "source": "cna", "vendor": "craigjbass"}, "product": "clearancekit", "vendor": "craigjbass"}], "analysis": {"en": {"generated_at": "2026-03-26T20:20:27.170251+00:00", "value": {"mitigation_remediation": ["Upgrade ClearanceKit to v4.2.4 or later", "Reactivate the ClearanceKit system extension"], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the CIA software ClearanceKit, developed by craigjbass, on macOS platforms. Any installation of ClearanceKit before v4.2.4 is susceptible, irrespective of specific minor release numbers. All lower versions lack subscription to the two missing event types, and thus are exposed.", "description_and_impact": "ClearanceKit is a macOS file\u2011system access monitoring tool that enforces per\u2011process file access policies. It contains an operation\u2011filter system extension that intercepts file operation events. Prior to version 4.2.4, the extension did not handle the ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE event types. A local process able to use these events could therefore perform file operations that bypass the intended policy checks, allowing unauthorized read, write, or execution of files. This constitutes an authorization bypass, potentially exposing sensitive files or facilitating further local privilege escalation.", "risk_and_exploitability": "The CVSS base score of 8.4 indicates a high severity. The absence of an EPSS score means we cannot estimate current exploitation likelihood, but the vulnerability is marked as not included in CISA's KEV catalog. The exploit requires a local macro or running code against ClearanceKit, so the likely attack vector is local. The vulnerability has been patched in the public commit 6181c4a, so systems that upgrade mitigate the risk."}}}}, "created": "2026-03-27T08:32:29.149193+00:00", "updated": "2026-03-27T09:25:27.045772+00:00", "vendors": ["craigjbass", "craigjbass$PRODUCT$clearancekit"]}