CVE-2026-23634 – Pepr, a type-safe Kubernetes middleware, defaul... (How to Fix)

Q: What is the severity of CVE-2026-23634?

CVE-2026-23634 has a CVSS score of 0.0 (NONE). Pepr, a type-safe Kubernetes middleware, defaults to cluster-admin RBAC configuration in versions before 1.0.5, granting excessive permissions that violate least-privilege principles. This affects all Pepr users running vulnerable versions, particularly those who haven't manually configured more restrictive RBAC rules. The vulnerability makes it easier for attackers to escalate privileges within Kubernetes clusters.

📋 TL;DR

Pepr, a type-safe Kubernetes middleware, defaults to cluster-admin RBAC configuration in versions before 1.0.5, granting excessive permissions that violate least-privilege principles. This affects all Pepr users running vulnerable versions, particularly those who haven't manually configured more restrictive RBAC rules. The vulnerability makes it easier for attackers to escalate privileges within Kubernetes clusters.

💻 Affected Systems

Products:

Pepr

Versions: All versions prior to 1.0.5

Operating Systems: Any OS running Kubernetes

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default RBAC configuration. Users who have manually configured restrictive RBAC rules may not be affected even on vulnerable versions.

📦 What is this software?

Pepr by Defenseunicorns

View all CVEs affecting Pepr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain full cluster-admin privileges, allowing them to create, modify, or delete any Kubernetes resource, deploy malicious workloads, exfiltrate sensitive data, or disrupt cluster operations.

🟠

Likely Case

Unauthorized users or compromised workloads could perform actions beyond their intended permissions, potentially leading to data exposure, service disruption, or lateral movement within the cluster.

🟢

If Mitigated

With proper RBAC configuration enforcing least-privilege, the impact is minimal as users only have permissions necessary for their specific functions.

🌐 Internet-Facing: LOW - This vulnerability primarily affects internal Kubernetes cluster configurations rather than internet-facing services.

🏢 Internal Only: HIGH - The risk is significant within Kubernetes environments where attackers could exploit excessive permissions for privilege escalation and lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of initial access to the Kubernetes cluster, but once obtained, leveraging the excessive permissions is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.5

Vendor Advisory: https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q

Restart Required: Yes

Instructions:

1. Update Pepr to version 1.0.5 or later. 2. Review and update any custom modules to ensure they follow least-privilege principles. 3. Restart Pepr controllers and any affected workloads.

🔧 Temporary Workarounds

Manual RBAC Configuration

all

Manually configure RBAC rules to enforce least-privilege principles instead of using default cluster-admin permissions.

kubectl apply -f custom-rbac.yaml

🧯 If You Can't Patch

Manually review and restrict RBAC permissions for all Pepr ServiceAccounts and Roles to minimum required privileges.
Implement network policies to restrict Pepr controller communications and monitor for unusual RBAC-related activities.

🔍 How to Verify

Check if Vulnerable:

Check Pepr version: kubectl get pods -n pepr-system -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o 'pepr:[^,]*'

Check Version:

kubectl get pods -n pepr-system -o jsonpath='{.items[*].spec.containers[*].image}'

Verify Fix Applied:

Verify version is 1.0.5 or later and review RBAC configurations to ensure they follow least-privilege principles.

📡 Detection & Monitoring

Log Indicators:

Unusual cluster-admin level operations from Pepr ServiceAccounts
RBAC permission escalation attempts
Creation of unexpected resources by Pepr controllers

Network Indicators:

Unusual API server requests from Pepr controllers
Communication patterns suggesting privilege escalation

SIEM Query:

source="kubernetes-audit" AND (user.username="system:serviceaccount:pepr-system:*" AND verb IN ["create","update","delete","patch"]) AND NOT resource IN ["expected-resource-list"]

📊 Metadata

CVE ID: CVE-2026-23634

CVSS v3 Score: 0.0 (NONE)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CWE: CWE-272

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: January 16, 2026

Last Updated: March 4, 2026

🔗 References

https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5 Release Notes
https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23634, you might also want to check these: