CVE-2026-40191
CWE-863Published: April 10, 2026· Updated: Apr 16, 2026
Official Description
ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165, ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165.
Technical Analysis
CVE-2026-40191 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A proof-of-concept (PoC) exploit exists for CVE-2026-40191. While not yet confirmed in active campaigns, the availability of PoC code increases exploitation risk substantially.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-863)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-40191 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts