GHSA-W54X-R83C-X79Q

Pepr's Open Door: The Perils of Default 'Admin' Mode

Alon Barad
Alon Barad
Software Engineer

Jan 16, 2026·5 min read·0 visits

Executive Summary (TL;DR)

Pepr, a TypeScript framework for Kubernetes, essentially gives root privileges (`cluster-admin`) to any module created with its default settings. If an attacker compromises a Pepr module—perhaps through a dependency vulnerability or bad custom code—they inherit full control over the entire cluster. The fix? A console warning telling you not to do that in production.

The Pepr Kubernetes framework defaults to generating 'cluster-admin' RBAC permissions for new modules, turning a simple development convenience into a potential production nightmare.

Official Patches

Defense UnicornsPepr v1.0.5 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score
1.7/ 10
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

Pepr Framework (npm package)Kubernetes Clusters running default Pepr modules

Affected Versions Detail

Product
Affected Versions
Fixed Version
pepr
defenseunicorns
< 1.0.51.0.5
AttributeDetail
CWECWE-276 (Incorrect Default Permissions)
CVSS v4.01.7 (Low)
Real-World ImpactCritical (Cluster Compromise)
Attack VectorAdjacent / Network (Post-Compromise)
Affected Versions< 1.0.5
Exploit StatusConfig-based (Trivial)

MITRE ATT&CK Mapping

T1098Account Manipulation
Persistence
T1611Escape to Host
Privilege Escalation
T1078Valid Accounts
Defense Evasion
CWE-276
Incorrect Default Permissions

The product creates a default configuration file with permissions that are broader than necessary, exposing the system to unintended access or modification.

Known Exploits & Detection

Internal PoCStandard initialization generates wildcard permissions.

Vulnerability Timeline

Vulnerability Published
2026-01-15
Patch Released (v1.0.5)
2026-01-15