EUVD-2026-20900
GHSA-vmx8-mqv2-9gmg
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.
Analysis
Path traversal in Helm 4.0.0 through 4.1.3 allows malicious plugin installation to write arbitrary files to any filesystem location. When users install or update a specially crafted Helm plugin containing directory traversal sequences (/../) in the version field of plugin.yaml, the package manager writes plugin contents outside intended directories. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Helm installations running versions 4.0.0-4.1.3 using `helm version` command; document inventory and affected Kubernetes clusters. Within 7 days: Distribute security advisory to development and DevOps teams prohibiting installation of Helm plugins from untrusted sources; implement code review requirement for all plugin installations; consider restricting plugin installation via RBAC policies. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today