Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.

INFO

Published Date :

2026-04-09T15:03:28.668Z

Last Modified :

2026-04-09T17:46:15.811Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35204 vulnerability.

Vendors Products
Helm
  • Helm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35204.

URL Resource
https://github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027 cve-icon cve-icon
https://github.com/helm/helm/releases/tag/v4.1.4 cve-icon cve-icon
https://github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability