Arbitrary File Write Vulnerability in Helm Package Manager
CVE-2026-35204

8.4HIGH

Key Information:

Vendor

Helm

Status
Helm
Vendor
CVE Published:
9 April 2026

What is CVE-2026-35204?

A security issue has been identified in Helm, the package manager for Kubernetes Charts. Versions 4.0.0 through 4.1.3 are impacted by a flaw that allows a specially crafted Helm plugin to write files to arbitrary locations on the filesystem when installed or updated. To mitigate this risk, it is crucial to validate that the 'plugin.yaml' file of any Helm plugin does not contain a 'version:' field with POSIX dot-dot path separators (e.g., '/../'). This vulnerability has been resolved in version 4.1.4, which should be updated to ensure security.

Affected Version(s)

helm >= 4.0.0, < 4.1.4

References

https://github.com/helm/helm/security/advisories/GHSA-vmx...
x_refsource_CONFIRM
https://github.com/helm/helm/commit/36c8539e99bc42d7aef9b...
x_refsource_MISC
https://github.com/helm/helm/releases/tag/v4.1.4
x_refsource_MISC

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.