Helm’s plugin verification fails open when .prov is missing, allowing...

8.4 / 10

HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

Basic Information

ID CVE-2026-35205

Source GitHub_M

Published Apr 9, 2026 at 15:06

Modified Apr 9, 2026 at 16:05

Affected Product

Vendor helm

Product helm

Version >= 4.0.0, < 4.1.4

Affected Versions helm helm >= 4.0.0, < 4.1.4

CWE Classification

CWE-636

References

{
    "lastseen": "",
    "description": "Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.",
    "published": "2026-04-09T15:06:41.052Z",
    "modified": "2026-04-09T16:05:00.744Z",
    "type": "cve",
    "title": "Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install",
    "source": "GitHub_M",
    "references": "https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7\nhttps://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f\nhttps://github.com/helm/helm/releases/tag/v4.1.4\nhttps://helm.sh/docs/topics/provenance/#the-provenance-file",
    "id": "CVE-2026-35205",
    "bulletinFamily": "",
    "cwe": [
        "CWE-636"
    ],
    "cvelist": null,
    "sourceData": "helm helm >= 4.0.0, < 4.1.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.4,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "helm",
    "version": ">= 4.0.0, < 4.1.4",
    "vendor": "helm",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Helm’s plugin verification fails open when .prov is missing, allowing unsigned plugin install_CVE-2026-35205