2456933 – (CVE-2026-35204) CVE-2026-35204 github.com/helm/helm: helm.sh/helm/v4: Helm: Arbitrary file write via specially crafted plugin

Bug 2456933 (CVE-2026-35204) - CVE-2026-35204 github.com/helm/helm: helm.sh/helm/v4: Helm: Arbitrary file write via specially crafted plugin

Summary: CVE-2026-35204 github.com/helm/helm: helm.sh/helm/v4: Helm: Arbitrary file wr...

Keywords:
Status:	NEW
Alias:	CVE-2026-35204
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2457444 2457445
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-09 16:02 UTC by OSIDB Bzimport
Modified:	2026-04-10 20:09 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-09 16:02:00 UTC

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.

Note You need to log in before you can comment on or make changes to this bug.