CVE-2026-23634
CVE-2026-23634 is a none-severity vulnerability in Defenseunicorns Pepr with a CVSS 3.x base score of 0.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-272.
Key facts
- Severity: None (CVSS 3.x base score 0.0)
- EPSS exploit prediction: 0% (13th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-3113
- Weakness: CWE-272
- Affected product: Defenseunicorns Pepr
- Published:
- Last modified:
Description
Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.
Frequently asked questions
- What is CVE-2026-23634?
- Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.
- How severe is CVE-2026-23634?
- CVE-2026-23634 has a CVSS 3.x base score of 0.0, rated none severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability none.
- Is CVE-2026-23634 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (13th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-23634?
- CVE-2026-23634 affects Defenseunicorns Pepr. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-23634?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-23634 have an EU (EUVD) identifier?
- Yes. CVE-2026-23634 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-3113.
- When was CVE-2026-23634 published?
- CVE-2026-23634 was published on 2026-01-16 and last updated on 2026-06-17.
References
- https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5
- https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q
Affected products (1)
- cpe:2.3:a:defenseunicorns:pepr:*:*:*:*:*:*:*:*
Other CWE-272 vulnerabilities
- CVE-2025-59106 — High (CVSS 8.8): The binary serving the web server and executing basically all actions launched from the Web UI is running with root…
- CVE-2025-7722 — High (CVSS 8.8): The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including,…
- CVE-2024-28824 — High (CVSS 8.8): Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk…
- CVE-2024-35204 — High (CVSS 8.4): Veritas System Recovery before 23.3_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus…
- CVE-2025-47809 — High (CVSS 8.2): Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or…
- CVE-2024-0638 — High (CVSS 8.2): Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk…