Description
Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.
Published: 2026-01-16
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

Pepr, a type-safe Kubernetes middleware, defaults to a cluster‑admin RoleBasedAccessControl configuration for versions prior to 1.0.5. This default grants any module author or user who deploys Pepr complete cluster‑level privileges without enforcing least‑privilege guidance. The vulnerability allows an attacker or rogue module to gain unrestricted control over the Kubernetes cluster, enabling actions such as creating, modifying, or deleting any resource. The weakness is identified as improper privilege management (CWE‑272).

Affected Systems

The affected product is Pepr by Defense Unicorns. Versions up to and including 1.0.4 possess this permissive default RBAC setting and are consequently vulnerable. Users deploying any earlier release must review their RBAC configuration after upgrading to 1.0.5.

Risk and Exploitability

The risk is significant due to the full cluster‑admin privileges granted by default. While no CVSS score is provided, the EPSS score is below 1%, indicating a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers who can deploy or influence Pepr modules—such as developers or CI/CD pipelines with cluster access—could exploit this flaw by simply enabling module execution, thereby inheriting cluster‑admin rights. The vulnerability remains exploitable until the user applies the fix in 1.0.5 or takes alternative measures to restrict RBAC.

Generated by OpenCVE AI on April 18, 2026 at 05:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pepr to version 1.0.5 or later, which disables the default cluster‑admin binding and applies least‑privilege RBAC settings.
  • If upgrading is not immediately possible, manually modify the Pepr deployment to remove the cluster‑admin ClusterRoleBinding and replace it with a custom role that limits module permissions to only the namespaces or resources required.
  • After implementing the fix or manual restriction, audit the cluster’s role bindings to ensure no residual cluster‑admin permissions remain assigned to Pepr or its modules.

Generated by OpenCVE AI on April 18, 2026 at 05:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w54x-r83c-x79q Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode
History

Wed, 04 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:defenseunicorns:pepr:*:*:*:*:*:*:*:*

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Defenseunicorns
Defenseunicorns pepr
Vendors & Products Defenseunicorns
Defenseunicorns pepr

Fri, 16 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Description Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.
Title Pepr Overly Permissive RBAC ClusterRole in Admin Mode
Weaknesses CWE-272
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Defenseunicorns Pepr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T21:38:59.905Z

Reserved: 2026-01-14T16:08:37.483Z

Link: CVE-2026-23634

cve-icon Vulnrichment

Updated: 2026-01-16T21:38:55.935Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:49.733

Modified: 2026-03-04T14:43:21.853

Link: CVE-2026-23634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses