VYPR
← All advisories
Low severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026

Pepr Overly Permissive RBAC ClusterRole in Admin Mode

CVE-2026-23634

Description

Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pepr prior to 1.0.5 defaults to cluster-admin RBAC, violating least-privilege; fixed with warnings and documentation changes.

Vulnerability

Description Pepr is a TypeScript-based Kubernetes middleware that simplifies cluster resource management. Prior to version 1.0.5, the default RBAC mode for npx pepr build was admin, which generated a ClusterRole with cluster-admin permissions. This design prioritizes ease of onboarding for new users, but it violates the principle of least privilege by granting full, unrestricted access across the entire cluster [1][4].

Exploitation

Context This is not a traditional exploitable vulnerability but rather an insecure default configuration. The risk arises when module authors deploy Pepr modules without reviewing or changing the RBAC mode. The default hello-pepr.ts capability is intended only for demo purposes, and the documentation explicitly warns against using admin mode in production. However, users may skip this guidance and inadvertently run modules with excessive permissions [4].

Impact

If a module with cluster-admin privileges is compromised or misused, an attacker could gain complete control over the Kubernetes cluster. The severity is considered low because Pepr is a framework and the module author ultimately controls the deployment; however, the default setting increases the attack surface for inexperienced users [4].

Mitigation

The fix in version 1.0.5 (commit d4675a6) adds a warning log during module creation and updates the documentation to clearly state that admin mode is for demo/POC only. Users are instructed to run npx pepr build --rbac-mode=scoped for production to generate least-privilege RBAC [1][3].

References
  1. NVD - CVE-2026-23634
  2. fix: added log warning and updated docs for default admin mode (#2883) · defenseunicorns/pepr@d4675a6
  3. Overly Permissive RBAC ClusterRole in Admin Mode

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
peprnpm
< 1.0.51.0.5

Affected products

2
  • Defenseunicorns/PeprOSV2 versions
    0.37.3, v0.1.12, v0.1.13, …+ 1 more
    • (no CPE)range: 0.37.3, v0.1.12, v0.1.13, …
    • (no CPE)range: <1.0.5

Patches

1
d4675a662b86

fix: added log warning and updated docs for default admin mode (#2883)

https://github.com/defenseunicorns/peprAmberJan 15, 2026via ghsa
commit
3 files changed · +15 2
  • docs/user-guide/rbac.md+8 1 modified
    @@ -10,7 +10,14 @@ During the build phase of Pepr (`npx pepr build --rbac-mode [admin|scoped]`), yo
 npx pepr build --rbac-mode admin
 ```
 
-**Description:** The service account is given cluster-admin permissions, granting it full, unrestricted access across the entire cluster. This can be useful for administrative tasks where broad permissions are necessary. However, use this mode with caution, as it can pose security risks if misused. This is the default mode.
+**Description:** The service account is given cluster-admin permissions, granting it full, unrestricted access across the entire cluster.
+This is the default mode.
+
+> [!CAUTION]
+> **This mode is intended for demo and proof-of-concept purposes only and should NOT be used in production environments.**
+
+The `hello-pepr` capability included with `npx pepr init` is designed to help new users quickly get started without worrying about RBAC configuration.
+However, running with cluster-admin level permissions violates the principle of least privilege and poses significant security risks.
 
 ### scoped
  • src/cli/dev.ts+1 1 modified
    @@ -72,7 +72,7 @@ export default function (program: Command): void {
             validateCapabilityNames(webhook.capabilities);
           } catch (error) {
             Log.error(
-              `CapabilityValidation Error - Unable to valide capability name(s) in: '${webhook.capabilities.map(item => item.name)}'\n${error}`,
+              `CapabilityValidation Error - Unable to validate capability name(s) in: '${webhook.capabilities.map(item => item.name)}'\n${error}`,
             );
             process.exit(1);
           }
  • src/cli/init/index.ts+6 0 modified
    @@ -71,6 +71,12 @@ export default function (): Command {
           }
 
           Log.info(`New Pepr module created at ${dirName}`);
+          Log.warn(
+            `The default RBAC mode (admin) generates a ClusterRole with cluster-admin level ` +
+              `permissions for the hello-pepr capability. This is intended for demo/POC purposes only ` +
+              `and should NOT be used in production.` +
+              `See https://docs.pepr.dev/user-guide/rbac/ for more details.`,
+          );
           Log.info(`Open VSCode or your editor of choice in ${dirName} to get started!`);
         } catch (error) {
           throw new Error(`Error creating Pepr module:`, { cause: error });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.