CVE-2026-35204: Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

April 10, 2026 (updated April 24, 2026)

Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location.

References

github.com/advisories/GHSA-vmx8-mqv2-9gmg
github.com/helm/helm
github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027
github.com/helm/helm/releases/tag/v4.1.4
github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg
nvd.nist.gov/vuln/detail/CVE-2026-35204

Code Behaviors & Features

Detect and mitigate CVE-2026-35204 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →