CVE-2026-33631

Name of the Vulnerable Software and Affected Versions ClearanceKit versions 4.1 and earlier

Description ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy by intercepting only ES EVENT TYPE AUTH OPEN events. Seven additional file operation event types were not intercepted, allowing any locally running process to bypass the configured FAA policy without triggering a denial. Commit a3d1733 adds subscriptions for all seven event types and routes them through the existing FAA policy evaluator. AUTH RENAME and AUTH UNLINK additionally preserve XProtect change detection, allowing events on the XProtect path to trigger the existing onXProtectChanged callback instead of being evaluated against user policy.

Recommendations Upgrade to ClearanceKit version 4.2 or later.