GHSA-W54X-R83C-X79Q

Vulnerability from github – Published: 2026-01-15 20:14 – Updated: 2026-01-16 21:56
VLAI?
Summary
Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode
Details

Severity: LOW Target: /workspace/pepr/src/lib/assets/rbac.ts Endpoint: Kubernetes RBAC configuration Method: Deployment

Response / Rationale

Pepr defaults to rbacMode: "admin" because the initial experience is designed to be frictionless for new users. This mode ensures that users can deploy and run the default hello-pepr.ts module without needing to understand or pre-configure RBAC rules.

It’s important to note that hello-pepr.ts is intended strictly as a demo to showcase Pepr features and workflow. It is not intended for production use, and the documentation explicitly calls out that admin RBAC should not be used in production environments.

That said, if a user skips the documentation and does not review the npx pepr build options, they could deploy a module with broader privileges than necessary.

We consider this low severity because Pepr is a framework: the module author is ultimately responsible for selecting the appropriate RBAC scope for their module and environment as each module has different RBAC needs and requirements.

Our security focus is on ensuring the Pepr controller and runtime components operate securely within Kubernetes, while still allowing developers the flexibility to build modules with the access they require.

In order to fix this we will warn the user in logs that the default ClusterRole is cluster-admin and that it is not recommended for production.

How this can be exploited

This is not an inherently exploitable CVE in the traditional sense. It is being flagged because Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors.

The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC.

Remediation: scope RBAC appropriately before deploying to production. Running:

npx pepr build --rbac-mode=scoped

generates the minimum RBAC required for the controller/informer to watch resources. Any additional permissions must be added based on the specific Kubernetes resources and CRUD operations performed by the module

Severity ?
0.0 (None)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
1.7 (Low)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pepr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272",
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-15T20:14:31Z",
    "nvd_published_at": "2026-01-16T20:15:49Z",
    "severity": "LOW"
  },
  "details": "Severity: LOW\nTarget: /workspace/pepr/src/lib/assets/rbac.ts\nEndpoint: Kubernetes RBAC configuration\nMethod: Deployment\n\n## Response / Rationale\nPepr defaults to `rbacMode: \"admin\"` because the initial experience is designed to be frictionless for new users. This mode ensures that users can deploy and run the default `hello-pepr.ts` module without needing to understand or pre-configure RBAC rules.\n\nIt\u2019s important to note that `hello-pepr.ts` is intended strictly as a demo to showcase Pepr features and workflow. It is not intended for production use, and the documentation explicitly calls out that admin RBAC should not be used in production environments.\n\nThat said, if a user skips the documentation and does not review the `npx pepr build` options, they could deploy a module with broader privileges than necessary.\n\nWe consider this low severity because Pepr is a framework: the module author is ultimately responsible for selecting the appropriate RBAC scope for their module and environment as each module has different RBAC needs and requirements. \n\nOur security focus is on ensuring the Pepr controller and runtime components operate securely within Kubernetes, while still allowing developers the flexibility to build modules with the access they require.\n\nIn order to fix this we will warn the user in logs that the default `ClusterRole` is `cluster-admin` and that it is not recommended for production.\n\n## How this can be exploited\n\nThis is not an inherently exploitable CVE in the traditional sense. It is being flagged because Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors.\n\nThe default behavior exists to make the \u201cgetting started\u201d experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC.\n\nRemediation: scope RBAC appropriately before deploying to production. Running:\n\n```bash\nnpx pepr build --rbac-mode=scoped\n```\n\ngenerates the minimum RBAC required for the controller/informer to watch resources. Any additional permissions must be added based on the specific Kubernetes resources and CRUD operations performed by the module",
  "id": "GHSA-w54x-r83c-x79q",
  "modified": "2026-01-16T21:56:18Z",
  "published": "2026-01-15T20:14:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/defenseunicorns/pepr/pull/2883"
    },
    {
      "type": "WEB",
      "url": "https://github.com/defenseunicorns/pepr/commit/d4675a662b8602fcde7e4bf603432f2f133b1fd1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/defenseunicorns/pepr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.