Skip to main content

Kubernetes CVE-2026-35204

| EUVDEUVD-2026-20900 HIGH
Path Traversal (CWE-22)
2026-04-09 GitHub_M GHSA-vmx8-mqv2-9gmg
8.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 17, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 14:22 vuln.today
cvss_changed
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 15:30 euvd
EUVD-2026-20900
Analysis Generated
Apr 09, 2026 - 15:30 vuln.today
CVE Published
Apr 09, 2026 - 15:03 nvd
HIGH 8.4

DescriptionCVE.org

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.

AnalysisAI

Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update by embedding '/../' sequences in the plugin.yaml version field, achieving high integrity impact across system and vulnerable component scopes. EPSS score is 2nd percentile (0.01%) with no active exploitation or public POC identified, suggesting low immediate risk despite 8.4 CVSS score. Vendor patch released in version 4.1.4.

Technical ContextAI

Helm is the de facto package manager for Kubernetes, managing deployment Charts and extensible via plugins defined by plugin.yaml manifests. This vulnerability exploits CWE-22 (Path Traversal) via insufficient validation of the 'version:' field in plugin.yaml during plugin installation/update operations. By embedding POSIX dot-dot sequences ('/../') in this field, an attacker can escape Helm's intended plugin directory and write plugin contents to arbitrary filesystem locations. The affected product is helm:helm (CPE 2.3:a:helm:helm:*) versions 4.0.0 through 4.1.3. The CVSS 4.0 vector indicates high integrity impact to both vulnerable component (VI:H) and system (SI:H), with high subsequent system availability impact (SA:H), consistent with potential overwriting of critical system files or binaries.

RemediationAI

Upgrade Helm to version 4.1.4 or later, released March 2025, which introduces validation rejecting plugin.yaml files containing '/../' sequences in the version field (fix commit: 36c8539e99bc42d7aef9b87d136254662d04f027, release: https://github.com/helm/helm/releases/tag/v4.1.4). For environments unable to upgrade immediately, implement compensating controls: establish plugin allowlisting via organizational policy permitting only verified plugins from trusted sources (helm.sh stable repository), enforce code review of plugin.yaml manifests before installation, and restrict Helm plugin installation privileges to dedicated service accounts with minimal filesystem write permissions using SELinux/AppArmor policies. Note that allowlisting reduces plugin ecosystem flexibility and requires ongoing maintenance. Manual inspection of plugin.yaml files for dot-dot sequences is error-prone and not recommended as sole mitigation.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Containers 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-35204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy