CVE-2026-23634

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23634

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23634.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23634

Aliases

GHSA-w54x-r83c-x79q

Published

2026-01-16T19:14:46.483Z

Modified

2026-01-28T05:53:20.830850Z

Severity

0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator

Summary

Pepr Overly Permissive RBAC ClusterRole in Admin Mode

Details

Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-272"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23634.json"
}

References

Affected packages

Git / github.com/defenseunicorns/pepr

Affected ranges

Type: GIT
Repo: https://github.com/defenseunicorns/pepr
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d4675a662b8602fcde7e4bf603432f2f133b1fd1

Affected versions

0.*

0.37.3

v0.*

v0.1.12

v0.1.13

v0.1.14

v0.1.15

v0.1.16

v0.1.17

v0.1.18

v0.1.19

v0.1.21

v0.1.22

v0.1.23

v0.1.24

v0.1.25

v0.1.26

v0.1.27

v0.1.28

v0.1.29

v0.1.30

v0.1.31

v0.1.32

v0.1.33

v0.1.34

v0.1.35

v0.1.36

v0.1.37

v0.1.38

v0.1.39

v0.1.40

v0.1.41

v0.1.42

v0.1.43

v0.1.44

v0.1.45

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.14.0

v0.14.1

v0.14.2

v0.15.0

v0.16.0

v0.17.0

v0.17.1

v0.18.0

v0.18.1

v0.19.0

v0.2.0

v0.2.1

v0.2.10

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.20.0

v0.20.1

v0.20.2

v0.20.3

v0.21.0

v0.21.1

v0.22.0

v0.22.1

v0.22.2

v0.22.3-alpha

v0.22.4

v0.23.0

v0.23.1

v0.23.2

v0.24.0

v0.24.1

v0.25.0

v0.26.0

v0.26.1

v0.26.2

v0.27.0

v0.28.0

v0.28.1

v0.28.2

v0.28.3

v0.28.4

v0.28.5

v0.28.6

v0.28.7

v0.28.8

v0.29.0

v0.29.1

v0.29.2

v0.3.0

v0.3.1

v0.3.2

v0.30.0

v0.30.1

v0.30.2

v0.31.0

v0.31.1

v0.32.0

v0.32.1

v0.32.2

v0.32.3

v0.32.4

v0.32.5

v0.32.6

v0.32.7

v0.33.0

v0.34.0

v0.34.1

v0.35.0

v0.36.0

v0.37.0

v0.37.1

v0.37.2

v0.38.0

v0.38.0-rc

v0.38.1

v0.38.2

v0.38.3

v0.39.0

v0.39.1

v0.4.0

v0.4.1

v0.4.2

v0.40.0

v0.40.1

v0.42.0

v0.42.1

v0.42.2

v0.42.3

v0.43.0

v0.44.0

v0.45.0

v0.45.1

v0.46.0

v0.46.1

v0.46.2

v0.46.3

v0.47.0

v0.48.0

v0.48.1

v0.49.0

v0.5.0

v0.50.0

v0.51.0

v0.51.1

v0.51.2

v0.51.3

v0.51.4

v0.51.5

v0.51.6

v0.52.0

v0.52.1

v0.52.2

v0.52.3

v0.53.0

v0.53.1

v0.54.0

v0.55.0

v0.55.1

v0.55.2

v0.55.3

v0.55.4

v0.55.5

v0.55.6

v0.6.0

v0.6.1

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23634.json"