Directory Traversal Vulnerability in Helm Package Manager
CVE-2026-35206

4.8MEDIUM

Key Information:

Vendor

Helm

Status
Helm
Vendor
CVE Published:
9 April 2026

What is CVE-2026-35206?

A directory traversal vulnerability exists in Helm, a popular package manager for Kubernetes. Specifically, in Helm versions 3.20.1 and 4.1.3, when executing the command 'helm pull --untar [chart URL | repo/chartname]', the Chart's contents can be written directly to the current working directory instead of the designated output directory, which is normally suffixed by the chart's name. This behavior can lead to unintended file overwrites and potential exposure of sensitive information. The issue has been addressed in versions 3.20.2 and 4.1.4, where the output directory handling has been corrected.

Affected Version(s)

helm >= 4.0.0, < 4.1.4 < 4.0.0, 4.1.4

helm < 3.20.2 < 3.20.2

References

https://github.com/helm/helm/security/advisories/GHSA-hr2...
x_refsource_CONFIRM
https://github.com/helm/helm/commit/4e7994d4467182f535b67...
x_refsource_MISC
https://github.com/helm/helm/releases/tag/v4.1.4
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.