SB2026040953 - Multiple vulnerabilities in Helm
Published: April 9, 2026 Updated: April 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-35204)
The vulnerability allows a remote attacker to write files to arbitrary locations on the filesystem.
The vulnerability exists due to path traversal in the plugin metadata version field when installing or updating a specially crafted Helm plugin. A remote attacker can provide a specially crafted plugin to write files to arbitrary locations on the filesystem.
User interaction is required to install or update the crafted plugin.
2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-35205)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper signature verification in the plugin installation and update verification logic when installing or updating a plugin with signature verification required and the provenance file is missing. A remote attacker can provide a specially crafted unsigned plugin missing the .prov file to execute arbitrary code.
Plugin hooks in the installed plugin are executed as designed, and user interaction is required.
3) Improper input validation (CVE-ID: CVE-2026-35206)
The vulnerability allows a remote attacker to overwrite files in the target output directory.
The vulnerability exists due to improper input validation in Chart extraction logic when processing a specially crafted Chart with helm pull --untar. A remote attacker can supply a crafted Chart whose Chart.yaml name is . to overwrite files in the target output directory.
User interaction is required to pull and extract the crafted Chart.
Remediation
Install update from vendor's website.