CVE-2026-35205: Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
(updated )
Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-35205 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →