CVE-2026-35205
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
7.8
HIGH
CVSS 3.1
EPSS 0.02%
Description
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
How to fix CVE-2026-35205
To remediate CVE-2026-35205, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.4 or later
- —upgrade to 4.1.4 or later
Is CVE-2026-35205 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 4.0.0, < 4.1.4
- >= 4.0.0, < 4.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |