CVE-2026-35206Path Traversal in Helm

CWE-22Path Traversal6 documents6 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 95.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
HelmHelm.sh Helm V3Helm.sh Helm V4
Timeline
PublishedApr 9
Latest updateApr 10

Description

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5helm/helm< 3.20.2+1
Gohelm.sh/helm_v3< 3.20.2
Gohelm.sh/helm_v4< 4.1.4

🔴Vulnerability Details

3
GHSA
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment2026-04-10
VulDB
Helm up to 3.20.1/4.1.3 Chart path traversal (GHSA-hr2v-4r36-88hr)2026-04-10
CVEList
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment2026-04-09

📋Vendor Advisories

1
Red Hat
github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart2026-04-09

💬Community

1
Bugzilla
CVE-2026-35206 github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart2026-04-09
CVE-2026-35206 — Path Traversal in Helm | cvebase