CVE-2026-35205

HIGH

Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

Title source: cna

Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

References (8)

Core 8

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7

X_Refsource_Misc x_refsource_misc

https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/helm/helm/releases/tag/v4.1.4

X_Refsource_Misc x_refsource_misc

https://helm.sh/docs/topics/provenance/#the-provenance-file

Vendor Advisory

https://access.redhat.com/errata/RHSA-2026:26441

Vendor Advisory

https://access.redhat.com/security/cve/CVE-2026-35205

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2456927

Vendor Advisory

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35205.json

Scores

CVSS v3 7.8

EPSS 0.0018

EPSS Percentile 7.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-347 CWE-636

Status published

Products (3)

helm/helm 4.0.0 - 4.1.4

helm/helm >= 4.0.0, < 4.1.4

helm/v4 4.0.0 - 4.1.4Go

Published Apr 09, 2026

Tracked Since Apr 09, 2026