Tghastings

**Name of the Vulnerable Software and Affected Versions** Pepr versions prior to 1.0.5 **Description** Pepr, a type-safe K8s middleware, defaults to a cluster-admin RBAC configuration and does not enforce least-privilege guidance for module authors in versions prior to 1.0.5. This default behavior is intended to simplify the initial user experience, allowing experimentation without pre-configured RBAC. The issue is not considered inherently exploitable but could lead to modules being deployed with broader privileges than necessary if users do not review documentation or use appropriate build options. The vulnerability is related to the Kubernetes RBAC configuration and the `rbacMode` setting, which defaults to “admin”. The `npx pepr build` command can be used to generate RBAC configurations. **Recommendations** Update to Pepr version 1.0.5 or later. When building modules, use the command `npx pepr build --rbac-mode=scoped` to generate the minimum required RBAC permissions. Scope RBAC appropriately before deploying to production.