CVE-2026-35206

MEDIUM SEVERITY

Vulnerability Description

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

Vulnerability Details

Published Date

April 09, 2026

Last Modified

April 13, 2026

CWE ID

CWE-22

Source

NVD

Vendor

helm

Product

helm

External References

https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436
https://github.com/helm/helm/releases/tag/v4.1.4
https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr

CVE-2026-35206

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment