CVE-2026-35205 — Failing Open in Helm V4

CWE-636 — Failing Open7 documents5 sources

Severity

8.4HIGHNVD

EPSS

0.0%

top 95.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Helm.sh Helm V4 Helm

Timeline

PublishedApr 9

Latest updateApr 10

Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶Gohelm.sh/helm_v44.0.0 — 4.1.4

▶CVEListV5helm/helm>= 4.0.0, < 4.1.4

🔴Vulnerability Details

GHSA

Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install↗2026-04-10

▶

CVEList

Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install↗2026-04-09

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35205 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-35205 helm: Helm: Arbitrary code execution due to insufficient plugin provenance verification [fedora-all]↗2026-04-10

▶

Bugzilla

CVE-2026-35205 helm: Helm: Arbitrary code execution due to insufficient plugin provenance verification [epel-all]↗2026-04-10

▶

Bugzilla

CVE-2026-35205 github.com/helm/helm: helm.sh/helm/v4: Helm: Arbitrary code execution due to insufficient plugin provenance verification↗2026-04-09

▶