CVE-2026-35205

HIGH

Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

Title source: cna

Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

References (4)

[X_Refsource_Confirm] https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7

[X_Refsource_Misc] https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/helm/helm/releases/tag/v4.1.4

[X_Refsource_Misc] https://helm.sh/docs/topics/provenance/#the-provenance-file

Scores

CVSS v3 7.8

EPSS 0.0002

EPSS Percentile 4.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-636

Status published

Products (3)

helm/helm 4.0.0 - 4.1.4

helm/helm >= 4.0.0, < 4.1.4

helm/v4 4.0.0 - 4.1.4Go

Published Apr 09, 2026

Tracked Since Apr 09, 2026