Path Traversal in Helm

CVE-2026-35206

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output director…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (0.3th percentile) — read the EPSS interpretation.

Affected products

Helm — versions >= 4.0.0, < 4.1.4, < 3.20.2

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr (x_refsource_CONFIRM)
https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436 (x_refsource_MISC)
https://github.com/helm/helm/releases/tag/v4.1.4 (x_refsource_MISC)