CVE-2026-35204 Overview
A path traversal vulnerability has been identified in Helm, the popular package manager for Kubernetes Charts. From versions 4.0.0 to 4.1.3, a specially crafted Helm plugin can exploit improper validation in the plugin version field to write contents to arbitrary filesystem locations during plugin installation or update operations. This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Attackers can leverage malicious Helm plugins containing POSIX dot-dot path separators (/../) in the version field of plugin.yaml to write arbitrary files to the filesystem, potentially leading to privilege escalation or system compromise in Kubernetes environments.
Affected Products
- Helm versions 4.0.0 through 4.1.3
- Kubernetes environments utilizing affected Helm versions for chart management
- CI/CD pipelines with automated Helm plugin installation capabilities
Discovery Timeline
- April 9, 2026 - CVE CVE-2026-35204 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35204
Vulnerability Analysis
This path traversal vulnerability exists in Helm's plugin metadata processing functionality. When a user installs or updates a Helm plugin, the application processes the plugin.yaml file without properly validating the version: field for malicious path components. An attacker can craft a plugin with a version field containing directory traversal sequences (e.g., /../) that escape the intended plugin directory and write files to arbitrary locations on the filesystem.
The attack requires local access and user interaction (the user must install or update a malicious plugin), but the impact extends beyond the local system. Successful exploitation can result in high integrity violations both locally and on subsequent systems that trust the compromised Helm installation, affecting the security context of Kubernetes deployments managed by the compromised Helm instance.
Root Cause
The root cause lies in Helm's failure to validate the semantic version format of the plugin version field before using it in filesystem operations. The plugin metadata processing code did not enforce that the version field adhered to valid semver standards, allowing arbitrary strings including path traversal sequences to be processed. This improper input validation (CWE-22) enabled the version field to be weaponized as an attack vector.
Attack Vector
The attack is executed locally and requires user interaction. An attacker must convince a user to install or update a malicious Helm plugin containing a crafted plugin.yaml file. The version field in this file contains path traversal sequences such as /../../../etc/ followed by a target filename. When Helm processes this plugin, it uses the malicious version string in file path construction, resulting in files being written outside the intended plugin directory.
The security fix introduces strict semver validation to ensure the version field contains only valid semantic versioning strings:
// Security patch in internal/plugin/metadata.go
// Source: https://github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027
"errors"
"fmt"
+ "github.com/Masterminds/semver/v3"
+
"helm.sh/helm/v4/internal/plugin/schema"
)
+// isValidSemver checks if the given string is a valid semantic version.
+func isValidSemver(v string) bool {
+ _, err := semver.NewVersion(v)
+ return err == nil
+}
+
// Metadata of a plugin, converted from the "on-disk" legacy or v1 plugin.yaml
// Specifically, Config and RuntimeConfig are converted to their respective types based on the plugin type and runtime
type Metadata struct {
Source: GitHub Commit Reference
The validation is then applied in the legacy metadata handling:
// Security patch in internal/plugin/metadata_legacy.go
// Source: https://github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027
if !validPluginName.MatchString(m.Name) {
return fmt.Errorf("invalid plugin name %q: must contain only a-z, A-Z, 0-9, _ and -", m.Name)
}
+
+ if m.Version != "" && !isValidSemver(m.Version) {
+ return fmt.Errorf("invalid plugin version %q: must be valid semver", m.Version)
+ }
+
m.Usage = sanitizeString(m.Usage)
if len(m.PlatformCommand) > 0 && len(m.Command) > 0 {
Source: GitHub Commit Reference
Detection Methods for CVE-2026-35204
Indicators of Compromise
- Helm plugin plugin.yaml files containing /../ or ..\\ sequences in the version: field
- Unexpected files created outside of standard Helm plugin directories (~/.local/share/helm/plugins/ or $HELM_DATA_HOME/plugins/)
- Plugin installation logs showing unusual version strings with path separators
Detection Strategies
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file creation
- Audit Helm plugin installations and updates in CI/CD pipeline logs for anomalous version strings
- Deploy endpoint detection rules to alert on Helm processes writing to directories outside expected plugin paths
- Review installed plugin metadata by examining plugin.yaml files for path traversal patterns
Monitoring Recommendations
- Enable verbose logging for Helm operations in production Kubernetes environments
- Monitor for unauthorized modifications to system configuration files following Helm plugin operations
- Implement runtime security tools to detect and block path traversal attempts at the filesystem level
- Track Helm binary invocations and correlate with subsequent filesystem write operations
How to Mitigate CVE-2026-35204
Immediate Actions Required
- Upgrade Helm to version 4.1.4 or later immediately across all development, staging, and production environments
- Audit all currently installed Helm plugins by examining their plugin.yaml files for suspicious version fields
- Remove any plugins with version fields containing path separators (/../ or ..\\)
- Review CI/CD pipelines that automatically install Helm plugins and implement pre-installation validation
Patch Information
The vulnerability is fixed in Helm version 4.1.4. The fix introduces strict semantic versioning validation using the Masterminds/semver/v3 library to ensure plugin version fields contain only valid semver strings. Organizations should upgrade by obtaining the patched version from the official Helm release v4.1.4. Additional details are available in the GitHub Security Advisory GHSA-vmx8-mqv2-9gmg.
Workarounds
- Manually validate the plugin.yaml of any Helm plugin before installation, ensuring the version: field does not contain POSIX dot-dot path separators
- Implement organizational policies requiring plugin review and approval before installation
- Use network policies or admission controllers to restrict plugin sources to trusted repositories only
# Validate plugin.yaml before installation
grep -r "version:" /path/to/plugin/plugin.yaml | grep -E "\.\./|\.\.\\\\"; \
if [ $? -eq 0 ]; then \
echo "WARNING: Potential path traversal detected in plugin version field"; \
exit 1; \
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
