CVE-2026-35206

MEDIUM

Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment

Title source: cna

Description

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

References (3)

Scores

CVSS v3 4.4
EPSS 0.0001
EPSS Percentile 1.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Details

CWE
CWE-22
Status published
Products (4)
helm/helm < 3.20.2 (2 CPE variants)
helm/helm >= 4.0.0, < 4.1.4
helm/v3 0 - 3.20.2Go
helm/v4 0 - 4.1.4Go
Published Apr 09, 2026
Tracked Since Apr 10, 2026