CVE-2026-35205 - Vulnerability Details - OpenCVE

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f
https://github.com/helm/helm/releases/tag/v4.1.4
https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7
https://helm.sh/docs/topics/provenance/#the-provenance-file

History

Thu, 09 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
Title		Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
Weaknesses		CWE-636
References		https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f https://github.com/helm/helm/releases/tag/v4.1.4 https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7 https://helm.sh/docs/topics/provenance/#the-provenance-file
Metrics		cvssV4_0 `{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-09T15:06:41.052Z

Updated: 2026-04-09T16:05:00.744Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35205

Vulnrichment

Updated: 2026-04-09T16:04:50.634Z

NVD

Status : Received

Published: 2026-04-09T16:16:27.720

Modified: 2026-04-09T16:16:27.720

Link: CVE-2026-35205

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35205", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-09T15:06:41.052Z", "dateUpdated": "2026-04-09T16:05:00.744Z"}, "containers": {"cna": {"title": "Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install", "problemTypes": [{"descriptions": [{"cweId": "CWE-636", "lang": "en", "description": "CWE-636: Not Failing Securely ('Failing Open')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7"}, {"name": "https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f", "tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f"}, {"name": "https://github.com/helm/helm/releases/tag/v4.1.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/releases/tag/v4.1.4"}, {"name": "https://helm.sh/docs/topics/provenance/#the-provenance-file", "tags": ["x_refsource_MISC"], "url": "https://helm.sh/docs/topics/provenance/#the-provenance-file"}], "affected": [{"vendor": "helm", "product": "helm", "versions": [{"version": ">= 4.0.0, < 4.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T15:06:41.052Z"}, "descriptions": [{"lang": "en", "value": "Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4."}], "source": {"advisory": "GHSA-q5jf-9vfq-h4h7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T16:04:47.054575Z", "id": "CVE-2026-35205", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:05:00.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35205", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T16:04:47.054575Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:04:50.634Z"}}], "cna": {"title": "Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install", "source": {"advisory": "GHSA-q5jf-9vfq-h4h7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "helm", "product": "helm", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.1.4"}]}], "references": [{"url": "https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7", "name": "https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f", "name": "https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/helm/helm/releases/tag/v4.1.4", "name": "https://github.com/helm/helm/releases/tag/v4.1.4", "tags": ["x_refsource_MISC"]}, {"url": "https://helm.sh/docs/topics/provenance/#the-provenance-file", "name": "https://helm.sh/docs/topics/provenance/#the-provenance-file", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-636", "description": "CWE-636: Not Failing Securely ('Failing Open')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T15:06:41.052Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35205", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:05:00.744Z", "dateReserved": "2026-04-01T18:48:58.937Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T15:06:41.052Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4."}], "id": "CVE-2026-35205", "lastModified": "2026-04-09T16:16:27.720", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T16:16:27.720", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f"}, {"source": "security-advisories@github.com", "url": "https://github.com/helm/helm/releases/tag/v4.1.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7"}, {"source": "security-advisories@github.com", "url": "https://helm.sh/docs/topics/provenance/#the-provenance-file"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-636"}], "source": "security-advisories@github.com", "type": "Primary"}]}