Low severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026
Pepr Overly Permissive RBAC ClusterRole in Admin Mode
CVE-2026-23634
Description
Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
peprnpm | < 1.0.5 | 1.0.5 |
Affected products
2- Range: 0.37.3, v0.1.12, v0.1.13, …
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-w54x-r83c-x79qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23634ghsaADVISORY
- github.com/defenseunicorns/pepr/commit/d4675a662b8602fcde7e4bf603432f2f133b1fd1ghsaWEB
- github.com/defenseunicorns/pepr/pull/2883ghsaWEB
- github.com/defenseunicorns/pepr/releases/tag/v1.0.5ghsax_refsource_MISCWEB
- github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.