{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23634", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.483Z", "datePublished": "2026-01-16T19:14:46.483Z", "dateUpdated": "2026-01-16T21:38:59.905Z"}, "containers": {"cna": {"title": "Pepr Overly Permissive RBAC ClusterRole in Admin Mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-272", "lang": "en", "description": "CWE-272: Least Privilege Violation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q"}, {"name": "https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5"}], "affected": [{"vendor": "defenseunicorns", "product": "pepr", "versions": [{"version": "< 1.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T19:14:46.483Z"}, "descriptions": [{"lang": "en", "value": "Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the \u201cgetting started\u201d experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5."}], "source": {"advisory": "GHSA-w54x-r83c-x79q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T21:38:48.365212Z", "id": "CVE-2026-23634", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:38:59.905Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23634", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T21:38:48.365212Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:38:55.935Z"}}], "cna": {"title": "Pepr Overly Permissive RBAC ClusterRole in Admin Mode", "source": {"advisory": "GHSA-w54x-r83c-x79q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "defenseunicorns", "product": "pepr", "versions": [{"status": "affected", "version": "< 1.0.5"}]}], "references": [{"url": "https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q", "name": "https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5", "name": "https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the \u201cgetting started\u201d experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-272", "description": "CWE-272: Least Privilege Violation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T19:14:46.483Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23634", "state": "PUBLISHED", "dateUpdated": "2026-01-16T21:38:59.905Z", "dateReserved": "2026-01-14T16:08:37.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-16T19:14:46.483Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:defenseunicorns:pepr:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC7900DF-C37E-4D04-9745-4A3E414A3806", "versionEndExcluding": "1.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the \u201cgetting started\u201d experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5."}], "id": "CVE-2026-23634", "lastModified": "2026-03-04T14:43:21.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-16T20:15:49.733", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-272"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:42:18.529251+00:00", "value": {"mitigation_remediation": ["Upgrade Pepr to version 1.0.5 or later, which disables the default cluster\u2011admin binding and applies least\u2011privilege RBAC settings.", "If upgrading is not immediately possible, manually modify the Pepr deployment to remove the cluster\u2011admin ClusterRoleBinding and replace it with a custom role that limits module permissions to only the namespaces or resources required.", "After implementing the fix or manual restriction, audit the cluster\u2019s role bindings to ensure no residual cluster\u2011admin permissions remain assigned to Pepr or its modules."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Pepr by Defense Unicorns. Versions up to and including 1.0.4 possess this permissive default RBAC setting and are consequently vulnerable. Users deploying any earlier release must review their RBAC configuration after upgrading to 1.0.5.", "description_and_impact": "Pepr, a type-safe Kubernetes middleware, defaults to a cluster\u2011admin RoleBasedAccessControl configuration for versions prior to 1.0.5. This default grants any module author or user who deploys Pepr complete cluster\u2011level privileges without enforcing least\u2011privilege guidance. The vulnerability allows an attacker or rogue module to gain unrestricted control over the Kubernetes cluster, enabling actions such as creating, modifying, or deleting any resource. The weakness is identified as improper privilege management (CWE\u2011272).", "risk_and_exploitability": "The risk is significant due to the full cluster\u2011admin privileges granted by default. While no CVSS score is provided, the EPSS score is below 1%, indicating a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers who can deploy or influence Pepr modules\u2014such as developers or CI/CD pipelines with cluster access\u2014could exploit this flaw by simply enabling module execution, thereby inheriting cluster\u2011admin rights. The vulnerability remains exploitable until the user applies the fix in 1.0.5 or takes alternative measures to restrict RBAC."}}}}, "created": "2026-01-19T09:20:22.515974+00:00", "updated": "2026-04-18T05:45:38.177495+00:00", "vendors": ["defenseunicorns", "defenseunicorns$PRODUCT$pepr"]}