CVE-2026-35206

EUVD-2026-21100
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar  [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.4 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
helmhelm
𝑥
< 3.20.2
helmhelm
4.0.0 ≤
𝑥
< 4.1.4
𝑥
= Vulnerable software versions
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
helm
suse enterprise sap 15 SP7
3.20.2-150000.1.71.2
fixed
suse enterprise server 15 SP4
3.20.2-150000.1.71.2
fixed
suse enterprise server 15 SP7
3.20.2-150000.1.71.2
fixed
helm-bash-completion
suse enterprise sap 15 SP7
3.20.2-150000.1.71.2
fixed
suse enterprise server 15 SP4
3.20.2-150000.1.71.2
fixed
suse enterprise server 15 SP7
3.20.2-150000.1.71.2
fixed
helm-zsh-completion
suse enterprise sap 15 SP7
3.20.2-150000.1.71.2
fixed
suse enterprise server 15 SP4
3.20.2-150000.1.71.2
fixed
suse enterprise server 15 SP7
3.20.2-150000.1.71.2
fixed
Common Weakness Enumeration
References
https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436
https://github.com/helm/helm/releases/tag/v4.1.4
https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr