CVE-2026-35205 HIGH

CVE-2026-35205: Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

Vendor Helm
Product helm
Weakness CWE-636
Published April 9, 2026
Last update June 30, 2026

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
June 30, 2026 Record updated