CVE-2026-35205 | THREATINT

Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

PUBLISHED Reserved 2026-04-01 | Published 2026-04-09 | Updated 2026-04-09 | Assigner GitHub_M

HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-636: Not Failing Securely ('Failing Open')

Product status

>= 4.0.0, < 4.1.4

affected

References

github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7

github.com/...ommit/05fa37973dc9e42b76e1d2883494c87174b6074f

github.com/helm/helm/releases/tag/v4.1.4

helm.sh/docs/topics/provenance/

cve.org (CVE-2026-35205)

nvd.nist.gov (CVE-2026-35205)

Download JSON