CVE-2026-35205 Overview
CVE-2026-35205 is a signature verification flaw in Helm, the package manager for Kubernetes Charts. Helm versions 4.0.0 through 4.1.3 install plugins that lack a provenance (.prov) file even when signature verification is explicitly required. The defect undermines the security guarantee that operators rely on when enabling signature enforcement. An attacker who can supply a plugin to a user can deliver unsigned, unverified code to a workstation or CI runner. The issue is tracked as CWE-636: Not Failing Securely and is fixed in Helm 4.1.4.
Critical Impact
Helm silently installs unsigned plugins despite signature verification being enabled, allowing untrusted code to execute under the user's identity.
Affected Products
- Helm 4.0.0 through 4.1.3
- Helm CLI plugin installation workflows on Linux, macOS, and Windows
- CI/CD pipelines and developer workstations that consume Helm plugins
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-35205 published to NVD
- 2026-04-17 - Last updated in NVD database
Technical Details for CVE-2026-35205
Vulnerability Analysis
Helm plugins extend the CLI with additional subcommands and are distributed as archives that can include a provenance file. The provenance file contains a signed manifest used to verify the plugin's integrity and origin. When a user installs a plugin with signature verification enabled, Helm is expected to refuse installation if the .prov file is missing or invalid.
In affected releases, Helm does not fail closed. If the plugin archive omits the provenance file entirely, the verification path treats the absence as a non-error and proceeds with installation. The control therefore protects against tampered signatures but not against the simpler case of a fully unsigned plugin. Any attacker capable of substituting or hosting a plugin archive bypasses the verification gate without forging cryptographic material.
Root Cause
The root cause is missing enforcement logic in the plugin install path. Signature verification is implemented as a conditional check on an existing .prov file rather than a precondition that one must exist. This is a classic instance of CWE-636, where a security control fails open. The fix in commit 05fa3797 requires a provenance file to be present and validated before the plugin is installed when verification is requested.
Attack Vector
Exploitation requires local user interaction. An attacker stages a malicious Helm plugin archive without a .prov file and delivers it through a Git repository URL, tarball, or compromised plugin index. The victim runs helm plugin install with verification flags enabled, expecting Helm to reject any unsigned content. Helm installs the plugin, and subsequent invocations of the plugin's subcommands execute attacker-controlled code with the privileges of the Helm user, including access to kubeconfig credentials and cluster API tokens. See the GitHub Security Advisory GHSA-q5jf-9vfq-h4h7 for the upstream description.
Detection Methods for CVE-2026-35205
Indicators of Compromise
- Helm plugin directories ($HELM_PLUGINS or ~/.local/share/helm/plugins/) containing plugin folders with no corresponding .prov file.
- helm plugin install events in shell history or CI logs that reference untrusted Git URLs or tarball sources.
- Unexpected child processes spawned by the helm binary, particularly outbound network connections from plugin hook scripts.
Detection Strategies
- Inventory installed Helm plugins across developer endpoints and CI runners and flag any plugin missing a sibling .prov file.
- Audit version banners from helm version output and identify hosts running 4.0.0 through 4.1.3.
- Review CI pipeline definitions for helm plugin install invocations and validate that plugin sources are restricted to a curated allowlist.
Monitoring Recommendations
- Enable process and file telemetry on developer workstations and build agents to capture Helm plugin install events.
- Alert on writes to Helm plugin directories from non-administrative users or outside scheduled maintenance windows.
- Correlate plugin installation events with subsequent kubeconfig reads or Kubernetes API calls originating from the same session.
How to Mitigate CVE-2026-35205
Immediate Actions Required
- Upgrade Helm to version 4.1.4 or later on all workstations, jump hosts, and CI/CD runners.
- Audit existing plugin installations and remove any plugin lacking a valid .prov file from a trusted signer.
- Rotate cluster credentials, service account tokens, and kubeconfig contexts that may have been exposed to suspicious plugins.
Patch Information
The vulnerability is fixed in Helm 4.1.4. The corrective change is committed at 05fa37973dc9e42b76e1d2883494c87174b6074f and shipped in the Helm v4.1.4 release. After upgrading, signature verification correctly fails when a plugin archive does not include a provenance file. Refer to the Helm provenance documentation for guidance on signing and verifying plugins.
Workarounds
- Restrict plugin installation to an internal registry where every published plugin is signed and accompanied by a .prov file.
- Manually verify the presence of a .prov file alongside the plugin source before invoking helm plugin install.
- Block outbound access to untrusted plugin sources from build agents to limit exposure until the upgrade is rolled out.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
