Platform
go
Component
helm.sh/helm/v4
Fixed in
4.0.1
4.1.4
CVE-2026-35204 describes a Path Traversal vulnerability discovered in Helm, the package manager for Kubernetes Charts. This flaw allows a specially crafted Helm plugin, during installation or update, to write its contents to an arbitrary location on the user's filesystem. This poses a significant risk of file corruption and potential system compromise. The vulnerability affects Helm versions 4.0.0 through 4.1.3, and a fix is available in version 4.1.4.
The core impact of CVE-2026-35204 lies in the ability of a malicious Helm plugin to bypass intended file system boundaries. An attacker could craft a plugin that, upon installation or update, overwrites critical system files or user data. This could lead to denial of service, data loss, or even complete system takeover. The arbitrary write capability means the attacker isn't limited to specific directories; they can target any location accessible to the Helm process. This vulnerability highlights the importance of carefully vetting Helm plugins before installation, as a compromised plugin can have far-reaching consequences.
CVE-2026-35204 was publicly disclosed on 2026-04-10. There is no indication of this vulnerability being actively exploited at the time of writing. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is not widely available, but the potential for exploitation is considered medium due to the ease of crafting a malicious plugin.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35204 is to upgrade Helm to version 4.1.4 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing stricter access controls on the filesystem where Helm operates to limit the potential damage from a malicious plugin. Review existing Helm plugins for any signs of compromise. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for unusual file write activity. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring file system integrity is crucial.
Actualice Helm a la versión 4.1.4 o superior para mitigar esta vulnerabilidad. Verifique que el archivo plugin.yaml de sus plugins no contenga la secuencia '/../' en el campo 'version:' para evitar la escritura de archivos arbitrarios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35204 is a Path Traversal vulnerability in Helm v4 allowing malicious plugins to write to arbitrary filesystem locations.
You are affected if you are running Helm versions 4.0.0 through 4.1.3. Upgrade to 4.1.4 or later to resolve the vulnerability.
Upgrade Helm to version 4.1.4 or later. If immediate upgrade is not possible, restrict filesystem access for the Helm process.
There is currently no evidence of active exploitation, but the potential exists due to the ease of crafting a malicious plugin.
Refer to the official Helm security advisory on the helm.sh website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.