HIGHCVE-2026-35205Published 2026-04-09Modified 2026-04-09CNA GitHub_M

CVE-2026-35205: Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

helm / helm
>= 4.0.0, < 4.1.4

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7
https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f
https://github.com/helm/helm/releases/tag/v4.1.4
https://helm.sh/docs/topics/provenance/#the-provenance-file

Metrics