CVE-2026-35206

CVSS v4.0

4.8

Medium

Vector

AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Helm versions 3.20.1 and earlier, and versions 4.1.3 and earlier

Description Helm, a package manager for Kubernetes Charts, is affected by an issue where a specially crafted Chart can cause the helm pull --untar command to write chart contents to an incorrect directory. Specifically, the command writes to the current working directory (or directories specified by the --destination and --untardir flags) instead of the expected chart-name-suffixed output directory. This occurs when processing a malicious chart via the helm pull --untar command.

Recommendations Update to Helm version 3.20.2 or later. Update to Helm version 4.1.4 or later.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BIT-HELM-2026-35206

CVE-2026-35206

GHSA-HR2V-4R36-88HR

OPENSUSE-SU-2026:10532-1

OPENSUSE-SU-2026:10538-1

SUSE-SU-2026:1483-1

Affected Products

Helm

Red Os

CVE-2026-35206

Weakness Enumeration

Related Identifiers

Affected Products

References · 21