Which versions of Kubernetes are affected by CVE-2026-35205?

Helm versions 4.0.0 through 4.1.3 fail to validate plugin cryptographic signatures even when signature verification is explicitly configured, allowing attackers to inject malicious plugins that…. A patch is available.

Kubernetes CVE-2026-35205

Q: What is the CVSS score of CVE-2026-35205?

CVE-2026-35205 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-20901 HIGH

Not Failing Securely ('Failing Open') (CWE-636)

2026-04-09 GitHub_M

GHSA-q5jf-9vfq-h4h7

Information Disclosure Kubernetes Suse

8.4

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

Apr 17, 2026 - 14:12 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 17, 2026 - 14:07 vuln.today

cvss_changed

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 15:30 euvd

EUVD-2026-20901

Analysis Generated

Apr 09, 2026 - 15:30 vuln.today

CVE Published

Apr 09, 2026 - 15:06 nvd

HIGH 8.4

DescriptionNVD

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

AnalysisAI

Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when signature verification is explicitly required, allowing local attackers to deliver malicious plugins that execute with Helm's privileges during installation. The flaw (CWE-636: Not Failing Securely) enables supply chain attacks where unsigned or tampered plugins bypass security controls intended to validate plugin integrity. …

RemediationAI

Within 24 hours: Audit current Helm version across all deployment systems using 'helm version' and identify instances running 4.0.0-4.1.3. Within 7 days: Upgrade all affected Helm installations to version 4.1.4 or later per vendor advisory, and disable or restrict plugin installation until upgrade is complete. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-35205 vulnerability details – vuln.today

Back

Kubernetes CVE-2026-35205

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

Kubernetes CVE-2026-35205

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code