CVE-2026-23634

Name of the Vulnerable Software and Affected Versions Pepr versions prior to 1.0.5

Description Pepr, a type-safe K8s middleware, defaults to a cluster-admin RBAC configuration and does not enforce least-privilege guidance for module authors in versions prior to 1.0.5. This default behavior is intended to simplify the initial user experience, allowing experimentation without pre-configured RBAC. The issue is not considered inherently exploitable but could lead to modules being deployed with broader privileges than necessary if users do not review documentation or use appropriate build options. The vulnerability is related to the Kubernetes RBAC configuration and the rbacMode setting, which defaults to “admin”. The npx pepr build command can be used to generate RBAC configurations.

Recommendations Update to Pepr version 1.0.5 or later. When building modules, use the command npx pepr build --rbac-mode=scoped to generate the minimum required RBAC permissions. Scope RBAC appropriately before deploying to production.