Skip to main content

Kubernetes EUVDEUVD-2026-21100

| CVE-2026-35206 MEDIUM
Path Traversal (CWE-22)
2026-04-09 security-advisories@github.com GHSA-hr2v-4r36-88hr
4.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Red Hat
4.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 21:22 euvd
EUVD-2026-21100
Analysis Generated
Apr 09, 2026 - 21:22 vuln.today
CVE Published
Apr 09, 2026 - 21:16 nvd
MEDIUM 4.8

DescriptionGitHub Advisory

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

AnalysisAI

Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.

Technical ContextAI

Helm is a package manager for Kubernetes Charts that automates the download and deployment of containerized applications. The vulnerability resides in the chart extraction logic used by the helm pull command with the --untar flag. The root cause is improper path validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) that fails to enforce proper subdirectory creation during tarball extraction. When a user executes helm pull with --untar against a malicious Chart, the extraction routine does not sanitize or validate the internal tar entry paths, allowing an attacker-controlled Chart to specify extraction paths that traverse outside the intended chart-named subdirectory. The --destination and --untardir flags are expected to create a subdirectory named after the chart, but a specially crafted tar structure can bypass this safety mechanism. This affects all installations of Helm 3.x up to 3.20.1 (CPE: cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*) and 4.x up to 4.1.3 (CPE: cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*) regardless of platform.

RemediationAI

Vendor-released patch: upgrade Helm to version 3.20.2 or later for the 3.x branch, or version 4.1.4 or later for the 4.x branch. Users should immediately update their Helm binary via their package manager or by downloading the patched release from https://github.com/helm/helm/releases/tag/v4.1.4 (or the corresponding 3.20.2 release). No known workarounds are sufficient to mitigate the vulnerability in unpatched versions; the underlying extraction logic requires a code fix. Organizations should prioritize patching for installations that pull Charts from external or user-specified repositories. Verification of the patch can be confirmed via the upstream commit 4e7994d4467182f535b6797c94b5b0e994a91436.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Containers 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

EUVD-2026-21100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy