CVE-2026-35205 Overview
CVE-2026-35205 is an Authorization Bypass vulnerability in Helm, the popular package manager for Kubernetes Charts. In affected versions from 4.0.0 to 4.1.3, Helm installs plugins that are missing provenance (.prov file) even when signature verification is explicitly required. This security bypass allows potentially malicious or tampered plugins to be installed without proper cryptographic verification, undermining the integrity guarantees that provenance checking is designed to provide.
Critical Impact
Attackers could distribute malicious Helm plugins without valid cryptographic signatures. When users attempt to install these plugins with signature verification enabled, Helm would issue only a warning and proceed with installation, allowing unsigned and potentially compromised code to execute within Kubernetes environments.
Affected Products
- Helm versions 4.0.0 through 4.1.3
- Kubernetes environments utilizing Helm for plugin management
- CI/CD pipelines relying on Helm plugin signature verification
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-35205 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35205
Vulnerability Analysis
This vulnerability relates to CWE-636 (Not Failing Securely), where the Helm plugin installer fails to enforce security controls when provenance data is unavailable. The root issue lies in how the signature verification logic handles the absence of a .prov file during plugin installation.
When a user installs a Helm plugin from a tarball (.tgz or .tar.gz), Helm is designed to verify the plugin's cryptographic signature using a corresponding provenance file. However, in vulnerable versions, when no .prov file exists, the installer merely emits a warning to stderr and continues with installation. This "fail-open" behavior defeats the purpose of mandatory signature verification, as an attacker can simply omit the provenance file to bypass verification entirely.
The vulnerability requires local access with user interaction—a user must be convinced to install a malicious plugin. However, given Helm's widespread use in Kubernetes environments where plugins can have extensive cluster access, successful exploitation could lead to complete compromise of confidentiality, integrity, and availability within the affected environment.
Root Cause
The vulnerability stems from insecure error handling in the plugin installation code path. When the provenance data length is zero (indicating no .prov file was found), the original code printed a warning message but did not halt the installation process. This design choice prioritized usability over security, allowing installations to proceed without cryptographic verification when verification should have been mandatory.
The fix changes this behavior to return an error immediately when no provenance file is found, ensuring that signature verification cannot be bypassed by simply omitting the provenance file.
Attack Vector
An attacker could exploit this vulnerability through the following attack scenario:
- Create a malicious Helm plugin packaged as a tarball
- Distribute the tarball without an accompanying .prov provenance file
- Convince a victim to install the plugin using helm plugin install
- Despite signature verification being enabled, Helm would only warn about the missing provenance and proceed with installation
- The malicious plugin code executes with the privileges of the Helm process, potentially gaining access to Kubernetes cluster credentials and resources
The following patch demonstrates the fix applied to address this vulnerability:
// internal/plugin/installer/installer.go
// Before: Warning was issued but installation continued
// After: Installation fails immediately when provenance is missing
// Check if provenance data exists
if len(provData) == 0 {
- // No .prov file found - emit warning but continue installation
- fmt.Fprintf(os.Stderr, "WARNING: No provenance file found for plugin. Plugin is not signed and cannot be verified.\n")
- } else {
- // Provenance data exists - verify the plugin
- verification, err := plugin.VerifyPlugin(archiveData, provData, filename, opts.Keyring)
- if err != nil {
- return nil, fmt.Errorf("plugin verification failed: %w", err)
- }
+ return nil, fmt.Errorf("plugin verification failed: no provenance file (.prov) found")
+ }
- // Collect verification info
- result = &VerificationResult{
- SignedBy: make([]string, 0),
- Fingerprint: fmt.Sprintf("%X", verification.SignedBy.PrimaryKey.Fingerprint),
- FileHash: verification.FileHash,
- }
- for name := range verification.SignedBy.Identities {
- result.SignedBy = append(result.SignedBy, name)
- }
+ // Provenance data exists - verify the plugin
+ verification, err := plugin.VerifyPlugin(archiveData, provData, filename, opts.Keyring)
+ if err != nil {
+ return nil, fmt.Errorf("plugin verification failed: %w", err)
+ }
+ // Collect verification info
Source: GitHub Commit Details
Detection Methods for CVE-2026-35205
Indicators of Compromise
- Helm plugins installed without corresponding .prov provenance files in plugin directories
- Warning messages in stderr logs containing "No provenance file found for plugin"
- Recently installed plugins from untrusted or unknown sources
- Unusual network activity or Kubernetes API calls originating from Helm plugin processes
Detection Strategies
- Audit installed Helm plugins by checking for the presence of valid .prov files using helm plugin list and manual inspection of plugin directories
- Review shell history and CI/CD logs for helm plugin install commands executed against untrusted sources
- Monitor for the specific warning message pattern in Helm output logs that indicates a plugin was installed without provenance verification
- Implement SentinelOne Singularity agents to detect anomalous process behavior from Helm plugin execution
Monitoring Recommendations
- Enable verbose logging for Helm operations to capture all warning messages during plugin installation
- Implement centralized log collection for Kubernetes nodes and CI/CD runners executing Helm commands
- Set up alerts for any helm plugin install operations in production environments that do not originate from approved automation workflows
- Use SentinelOne's Kubernetes workload protection to monitor for unauthorized plugin installations and suspicious cluster activity
How to Mitigate CVE-2026-35205
Immediate Actions Required
- Upgrade Helm to version 4.1.4 or later immediately across all environments
- Audit all currently installed plugins by checking for valid .prov provenance files
- Remove any plugins installed from untrusted sources that lack proper signatures
- Review CI/CD pipelines to ensure plugin installations use explicit --verify=true flags where applicable
Patch Information
The vulnerability is fixed in Helm version 4.1.4. The fix ensures that plugin installation fails with an error when no provenance file is found, rather than proceeding with a warning. Users should upgrade by downloading the latest release from the official Helm releases page.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-q5jf-9vfq-h4h7.
Workarounds
- Manually verify provenance files exist before installing any plugins from external sources
- Use --verify=false only in controlled local development environments with plugins from trusted sources
- Implement network-level controls to restrict plugin downloads to approved repositories only
- Consider using a plugin allowlist and requiring security review for any new plugin installations
# Verify Helm version and upgrade if vulnerable
helm version --short
# Check for plugins missing provenance files
ls -la $(helm env HELM_PLUGINS)/*/
# Reinstall verified plugins from trusted sources with provenance
helm plugin install https://example.com/verified-plugin.tgz --verify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
