Main Vulnerability Database Vulnerabilities #VU125577

#VU125577 Improper Verification of Cryptographic Signature in Helm - CVE-2026-35205

Published: April 9, 2026

Vulnerability identifier: #VU125577

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-35205

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Helm

Software vendor:
The Helm Project

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper signature verification in the plugin installation and update verification logic when installing or updating a plugin with signature verification required and the provenance file is missing. A remote attacker can provide a specially crafted unsigned plugin missing the .prov file to execute arbitrary code.

Plugin hooks in the installed plugin are executed as designed, and user interaction is required.

Remediation

Install security update from vendor's website.

External links

https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7

#VU125577 Improper Verification of Cryptographic Signature in Helm - CVE-2026-35205

Description

Remediation

External links

Please verify you're human