Helm has a path traversal in plugin metadata version enables...

8.4 / 10

HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H

Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.

Basic Information

ID CVE-2026-35204

Source GitHub_M

Published Apr 9, 2026 at 15:03

Modified Apr 9, 2026 at 17:46

Affected Product

Vendor helm

Product helm

Version >= 4.0.0, < 4.1.4

Affected Versions helm helm >= 4.0.0, < 4.1.4

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. \"/../\". This vulnerability is fixed in 4.1.4.",
    "published": "2026-04-09T15:03:28.668Z",
    "modified": "2026-04-09T17:46:15.811Z",
    "type": "cve",
    "title": "Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory",
    "source": "GitHub_M",
    "references": "https://github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg\nhttps://github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027\nhttps://github.com/helm/helm/releases/tag/v4.1.4",
    "id": "CVE-2026-35204",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "helm helm >= 4.0.0, < 4.1.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.4,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "helm",
    "version": ">= 4.0.0, < 4.1.4",
    "vendor": "helm",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory_CVE-2026-35204