Vulnerability in Helm Package Manager for Kubernetes Plugins
CVE-2026-35205

8.4HIGH

Key Information:

Vendor

Helm

Status
Helm
Vendor
CVE Published:
9 April 2026

What is CVE-2026-35205?

The Helm package manager for Kubernetes is susceptible to a vulnerability where it allows the installation of plugins that lack the necessary provenance (.prov) files when signature verification is mandated. This flaw exists in versions 4.0.0 to 4.1.3, potentially compromising the security of deployments using unverified plugins. The issue has been resolved in version 4.1.4. For more information, please refer to the official Helm documentation.

Affected Version(s)

helm >= 4.0.0, < 4.1.4

References

https://github.com/helm/helm/security/advisories/GHSA-q5j...
x_refsource_CONFIRM
https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d...
x_refsource_MISC
https://github.com/helm/helm/releases/tag/v4.1.4
x_refsource_MISC

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.