Description

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

INFO

Published Date :

2026-04-09T21:02:13.594Z

Last Modified :

2026-04-09T21:02:13.594Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35206 vulnerability.

Vendors Products
Helm
  • Helm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35206.

URL Resource
https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436 cve-icon cve-icon cve-icon
https://github.com/helm/helm/releases/tag/v4.1.4 cve-icon cve-icon cve-icon
https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability