Main Vulnerability Database Vulnerabilities #VU125577

Improper Verification of Cryptographic Signature in Helm - CVE-2026-35205

Published: April 9, 2026

Vulnerability identifier: #VU125577

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-35205

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: The Helm Project

Affected software:
Helm

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper signature verification in the plugin installation and update verification logic when installing or updating a plugin with signature verification required and the provenance file is missing. A remote attacker can provide a specially crafted unsigned plugin missing the .prov file to execute arbitrary code.

Plugin hooks in the installed plugin are executed as designed, and user interaction is required.

How to mitigate CVE-2026-35205

Install security update from vendor's website.

Sources

https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7

Improper Verification of Cryptographic Signature in Helm - CVE-2026-35205

Detailed vulnerability description

How to mitigate CVE-2026-35205

Sources

Please verify you're human