CVE-2026-35204Path Traversal in Helm V4

CWE-22Path Traversal7 documents5 sources
Severity
8.4HIGHNVD
EPSS
0.0%
top 95.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Helm.sh Helm V4Helm
Timeline
PublishedApr 9
Latest updateApr 10

Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H

Affected Packages2 packages

Gohelm.sh/helm_v44.0.04.1.4
CVEListV5helm/helm>= 4.0.0, < 4.1.4

🔴Vulnerability Details

2
GHSA
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory2026-04-10
CVEList
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory2026-04-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-35204 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

3
Bugzilla
CVE-2026-35204 helm: Helm: Arbitrary file write via specially crafted plugin [fedora-all]2026-04-10
Bugzilla
CVE-2026-35204 helm: Helm: Arbitrary file write via specially crafted plugin [epel-all]2026-04-10
Bugzilla
CVE-2026-35204 github.com/helm/helm: helm.sh/helm/v4: Helm: Arbitrary file write via specially crafted plugin2026-04-09
CVE-2026-35204 — Path Traversal in Helm.sh Helm V4 | cvebase