Medium severity4.4NVD Advisory· Published Apr 9, 2026· Updated Apr 16, 2026
CVE-2026-35206
CVE-2026-35206
Description
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
helm.sh/helm/v4Go | < 4.1.4 | 4.1.4 |
helm.sh/helm/v3Go | < 3.20.2 | 3.20.2 |
Affected products
208- osv-coords207 versionspkg:apk/chainguard/cerbospkg:apk/chainguard/cerbos-fipspkg:apk/chainguard/cert-manager-cmctlpkg:apk/chainguard/cert-manager-cmctl-fipspkg:apk/chainguard/chaos-meshpkg:apk/chainguard/chaos-mesh-fipspkg:apk/chainguard/chartmuseumpkg:apk/chainguard/chartmuseum-fipspkg:apk/chainguard/chart-testingpkg:apk/chainguard/chart-testing-fipspkg:apk/chainguard/cilium-clipkg:apk/chainguard/cloudbeat-8.17pkg:apk/chainguard/cloudbeat-8.19pkg:apk/chainguard/cloudbeat-9.2pkg:apk/chainguard/cloudbeat-9.3pkg:apk/chainguard/cloudbeat-fips-8.19pkg:apk/chainguard/cloudbeat-fips-9.1pkg:apk/chainguard/cloudbeat-fips-9.2pkg:apk/chainguard/cloudbeat-fips-9.3pkg:apk/chainguard/cluster-api-helm-controllerpkg:apk/chainguard/cluster-api-helm-controller-fipspkg:apk/chainguard/consul-k8s-1.1-clipkg:apk/chainguard/consul-k8s-1.3-clipkg:apk/chainguard/consul-k8s-1.4-clipkg:apk/chainguard/consul-k8s-1.5-clipkg:apk/chainguard/consul-k8s-1.6-clipkg:apk/chainguard/consul-k8s-1.7-clipkg:apk/chainguard/consul-k8s-1.9-clipkg:apk/chainguard/consul-k8s-fips-1.1-clipkg:apk/chainguard/consul-k8s-fips-1.3-clipkg:apk/chainguard/consul-k8s-fips-1.4-clipkg:apk/chainguard/consul-k8s-fips-1.5-clipkg:apk/chainguard/consul-k8s-fips-1.6-clipkg:apk/chainguard/consul-k8s-fips-1.7-clipkg:apk/chainguard/consul-k8s-fips-1.9-clipkg:apk/chainguard/eksctlpkg:apk/chainguard/envoy-gateway-egctlpkg:apk/chainguard/envoy-gateway-fips-egctlpkg:apk/chainguard/flux-2.6pkg:apk/chainguard/flux-2.7pkg:apk/chainguard/flux-2.8pkg:apk/chainguard/flux-fips-2.6pkg:apk/chainguard/flux-fips-2.7pkg:apk/chainguard/flux-fips-2.8pkg:apk/chainguard/flux-source-controllerpkg:apk/chainguard/flux-source-controller-fipspkg:apk/chainguard/gitlab-operatorpkg:apk/chainguard/gitlab-operator-fipspkg:apk/chainguard/harbor-2.12pkg:apk/chainguard/harbor-2.12-exporterpkg:apk/chainguard/harbor-2.12-jobservicepkg:apk/chainguard/harbor-2.13pkg:apk/chainguard/harbor-2.13-exporterpkg:apk/chainguard/harbor-2.13-jobservicepkg:apk/chainguard/harbor-2.14pkg:apk/chainguard/harbor-2.14-exporterpkg:apk/chainguard/harbor-2.14-jobservicepkg:apk/chainguard/harbor-fips-2.12pkg:apk/chainguard/harbor-fips-2.12-exporterpkg:apk/chainguard/harbor-fips-2.12-jobservicepkg:apk/chainguard/harbor-fips-2.13pkg:apk/chainguard/harbor-fips-2.13-exporterpkg:apk/chainguard/harbor-fips-2.13-jobservicepkg:apk/chainguard/harbor-fips-2.14pkg:apk/chainguard/harbor-fips-2.14-exporterpkg:apk/chainguard/harbor-fips-2.14-jobservicepkg:apk/chainguard/headlamppkg:apk/chainguard/headlamp-fipspkg:apk/chainguard/helm-diffpkg:apk/chainguard/helm-diff-fipspkg:apk/chainguard/helm-docspkg:apk/chainguard/helm-exporterpkg:apk/chainguard/helm-exporter-fipspkg:apk/chainguard/helm-mapkubeapispkg:apk/chainguard/helm-operatorpkg:apk/chainguard/helm-operator-fipspkg:apk/chainguard/helm-pushpkg:apk/chainguard/helm-set-statuspkg:apk/chainguard/istioctl-1.29pkg:apk/chainguard/jfrog-clipkg:apk/chainguard/k8ssandra-clientpkg:apk/chainguard/k8ssandra-client-fipspkg:apk/chainguard/k9spkg:apk/chainguard/k9s-fipspkg:apk/chainguard/kotspkg:apk/chainguard/kube-arangodb-1.4pkg:apk/chainguard/kube-arangodb-fips-1.4pkg:apk/chainguard/kubescapepkg:apk/chainguard/kubescape-serverpkg:apk/chainguard/kubescape-server-downloaderpkg:apk/chainguard/kubescape-server-fipspkg:apk/chainguard/kubescape-server-fips-downloaderpkg:apk/chainguard/kumactl-2.11pkg:apk/chainguard/kumactl-2.12pkg:apk/chainguard/kumactl-2.13pkg:apk/chainguard/kumactl-2.9pkg:apk/chainguard/linkerd2-clipkg:apk/chainguard/linkerd2-controllerpkg:apk/chainguard/linkerd2-fips-clipkg:apk/chainguard/linkerd2-fips-controllerpkg:apk/chainguard/linkerd2-fips-metrics-apipkg:apk/chainguard/linkerd2-fips-tappkg:apk/chainguard/linkerd2-fips-webpkg:apk/chainguard/linkerd2-metrics-apipkg:apk/chainguard/linkerd2-tappkg:apk/chainguard/linkerd2-webpkg:apk/chainguard/novapkg:apk/chainguard/nova-fipspkg:apk/chainguard/plutopkg:apk/chainguard/pluto-fipspkg:apk/chainguard/rancher-fleet-agentpkg:apk/chainguard/rancher-fleet-agent-fipspkg:apk/chainguard/rancher-fleet-clipkg:apk/chainguard/rancher-fleet-cli-fipspkg:apk/chainguard/rancher-fleet-controllerpkg:apk/chainguard/rancher-fleet-controller-fipspkg:apk/chainguard/teleport-17pkg:apk/chainguard/teleport-18pkg:apk/chainguard/teleport-18-kube-agent-updaterpkg:apk/chainguard/teleport-18-kube-agent-updater-compatpkg:apk/chainguard/teleport-18-operatorpkg:apk/chainguard/teleport-18-operator-compatpkg:apk/chainguard/tigera-operator-1.40pkg:apk/chainguard/tigera-operator-1.41pkg:apk/chainguard/tigera-operator-fips-1.40pkg:apk/chainguard/tigera-operator-fips-1.41pkg:apk/chainguard/trivypkg:apk/chainguard/trivy-fipspkg:apk/chainguard/trivy-operatorpkg:apk/chainguard/trivy-operator-fipspkg:apk/chainguard/twpkg:apk/chainguard/twtpkg:apk/chainguard/zarfpkg:apk/chainguard/zarf-fipspkg:apk/chainguard/zotpkg:apk/wolfi/cerbospkg:apk/wolfi/cert-manager-cmctlpkg:apk/wolfi/chartmuseumpkg:apk/wolfi/chart-testingpkg:apk/wolfi/cilium-clipkg:apk/wolfi/cluster-api-helm-controllerpkg:apk/wolfi/consul-k8s-1.5-clipkg:apk/wolfi/consul-k8s-1.6-clipkg:apk/wolfi/consul-k8s-1.7-clipkg:apk/wolfi/consul-k8s-1.9-clipkg:apk/wolfi/eksctlpkg:apk/wolfi/envoy-gateway-egctlpkg:apk/wolfi/flux-2.6pkg:apk/wolfi/flux-2.7pkg:apk/wolfi/flux-2.8pkg:apk/wolfi/flux-source-controllerpkg:apk/wolfi/harbor-2.12pkg:apk/wolfi/harbor-2.12-jobservicepkg:apk/wolfi/harbor-2.13pkg:apk/wolfi/harbor-2.13-exporterpkg:apk/wolfi/harbor-2.13-jobservicepkg:apk/wolfi/harbor-2.14pkg:apk/wolfi/harbor-2.14-exporterpkg:apk/wolfi/harbor-2.14-jobservicepkg:apk/wolfi/headlamppkg:apk/wolfi/helm-docspkg:apk/wolfi/helm-mapkubeapispkg:apk/wolfi/helm-operatorpkg:apk/wolfi/helm-pushpkg:apk/wolfi/helm-set-statuspkg:apk/wolfi/istioctl-1.29pkg:apk/wolfi/k8ssandra-clientpkg:apk/wolfi/k9spkg:apk/wolfi/kotspkg:apk/wolfi/kube-arangodb-1.4pkg:apk/wolfi/kubescapepkg:apk/wolfi/kumactl-2.11pkg:apk/wolfi/kumactl-2.12pkg:apk/wolfi/kumactl-2.13pkg:apk/wolfi/kumactl-2.9pkg:apk/wolfi/linkerd2-clipkg:apk/wolfi/linkerd2-controllerpkg:apk/wolfi/linkerd2-metrics-apipkg:apk/wolfi/linkerd2-tappkg:apk/wolfi/linkerd2-webpkg:apk/wolfi/novapkg:apk/wolfi/plutopkg:apk/wolfi/rancher-fleet-agentpkg:apk/wolfi/rancher-fleet-clipkg:apk/wolfi/rancher-fleet-controllerpkg:apk/wolfi/teleport-17pkg:apk/wolfi/teleport-18pkg:apk/wolfi/teleport-18-kube-agent-updaterpkg:apk/wolfi/teleport-18-kube-agent-updater-compatpkg:apk/wolfi/teleport-18-operatorpkg:apk/wolfi/teleport-18-operator-compatpkg:apk/wolfi/tigera-operator-1.40pkg:apk/wolfi/tigera-operator-1.41pkg:apk/wolfi/trivypkg:apk/wolfi/trivy-operatorpkg:apk/wolfi/twpkg:apk/wolfi/twtpkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:bitnami/helmpkg:golang/helm.sh/helm/v3pkg:golang/helm.sh/helm/v4pkg:rpm/opensuse/helm3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helm&distro=openSUSE%20Tumbleweedpkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP7pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7
< 0.53.0-r6+ 206 more
- (no CPE)range: < 0.53.0-r6
- (no CPE)range: < 0.53.0-r3
- (no CPE)range: < 2.4.1-r5
- (no CPE)range: < 2.4.1-r5
- (no CPE)range: < 2.8.2-r4
- (no CPE)range: < 2.8.2-r4
- (no CPE)range: < 0.16.5-r10
- (no CPE)range: < 0.16.5-r2
- (no CPE)range: < 3.14.0-r11
- (no CPE)range: < 3.14.0-r9
- (no CPE)range: < 0.19.2-r10
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.19.13-r8
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 8.19.13-r9
- (no CPE)range: < 9.1.10-r20
- (no CPE)range: < 9.2.7-r8
- (no CPE)range: < 9.3.2-r8
- (no CPE)range: < 0.6.4-r4
- (no CPE)range: < 0.6.4-r4
- (no CPE)range: < 1.1.18-r32
- (no CPE)range: < 1.3.9-r34
- (no CPE)range: < 1.4.10-r20
- (no CPE)range: < 1.5.9-r20
- (no CPE)range: < 1.6.10-r13
- (no CPE)range: < 1.7.13-r9
- (no CPE)range: < 1.9.8-r2
- (no CPE)range: < 1.1.18-r32
- (no CPE)range: < 1.3.9-r31
- (no CPE)range: < 1.4.10-r20
- (no CPE)range: < 1.5.9-r21
- (no CPE)range: < 1.6.10-r15
- (no CPE)range: < 1.7.13-r4
- (no CPE)range: < 1.9.6-r3
- (no CPE)range: < 0.225.0-r4
- (no CPE)range: < 1.7.2-r6
- (no CPE)range: < 1.8.0-r3
- (no CPE)range: < 2.6.4-r19
- (no CPE)range: < 2.7.5-r20
- (no CPE)range: < 2.8.5-r2
- (no CPE)range: < 2.6.4-r18
- (no CPE)range: < 2.7.5-r12
- (no CPE)range: < 2.8.8-r2
- (no CPE)range: < 1.8.2-r4
- (no CPE)range: < 1.8.2-r3
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r2
- (no CPE)range: < 2.12.4-r34
- (no CPE)range: < 2.12.4-r34
- (no CPE)range: < 2.12.4-r34
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 2.12.4-r32
- (no CPE)range: < 2.12.4-r32
- (no CPE)range: < 2.12.4-r32
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 0.42.0-r4
- (no CPE)range: < 0.42.0-r5
- (no CPE)range: < 3.15.7-r1
- (no CPE)range: < 3.15.7-r1
- (no CPE)range: < 1.14.2-r22
- (no CPE)range: < 1.3.0-r5
- (no CPE)range: < 1.3.0-r5
- (no CPE)range: < 0.6.1-r14
- (no CPE)range: < 1.42.2-r9
- (no CPE)range: < 1.42.2-r4
- (no CPE)range: < 0.11.1-r8
- (no CPE)range: < 0.3.0-r14
- (no CPE)range: < 1.29.3-r2
- (no CPE)range: < 2.100.0-r1
- (no CPE)range: < 0.8.11-r1
- (no CPE)range: < 0.8.11-r1
- (no CPE)range: < 0.50.18-r18
- (no CPE)range: < 0.50.18-r14
- (no CPE)range: < 1.130.0-r4
- (no CPE)range: < 1.4.3-r1
- (no CPE)range: < 1.4.3-r1
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 2.11.7-r11
- (no CPE)range: < 2.12.3-r15
- (no CPE)range: < 2.13.6-r2
- (no CPE)range: < 2.9.15-r3
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 3.11.14-r3
- (no CPE)range: < 3.11.14-r2
- (no CPE)range: < 5.23.6-r3
- (no CPE)range: < 5.23.6-r2
- (no CPE)range: < 0.15.0-r5
- (no CPE)range: < 0.15.0-r3
- (no CPE)range: < 0.15.0-r5
- (no CPE)range: < 0.15.0-r3
- (no CPE)range: < 0.15.0-r5
- (no CPE)range: < 0.15.0-r3
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 1.40.9-r1
- (no CPE)range: < 1.41.1-r9
- (no CPE)range: < 1.40.9-r1
- (no CPE)range: < 1.41.1-r7
- (no CPE)range: < 0.69.3-r12
- (no CPE)range: < 0.69.3-r7
- (no CPE)range: < 0.30.1-r6
- (no CPE)range: < 0.30.1-r5
- (no CPE)range: < 0.0.49-r0
- (no CPE)range: < 0.0.49-r0
- (no CPE)range: < 0.74.2-r6
- (no CPE)range: < 0.74.2-r5
- (no CPE)range: < 2.1.15-r12
- (no CPE)range: < 0.53.0-r6
- (no CPE)range: < 2.4.1-r5
- (no CPE)range: < 0.16.5-r10
- (no CPE)range: < 3.14.0-r11
- (no CPE)range: < 0.19.2-r10
- (no CPE)range: < 0.6.4-r4
- (no CPE)range: < 1.5.9-r20
- (no CPE)range: < 1.6.10-r13
- (no CPE)range: < 1.7.13-r9
- (no CPE)range: < 1.9.8-r2
- (no CPE)range: < 0.225.0-r4
- (no CPE)range: < 1.7.2-r6
- (no CPE)range: < 2.6.4-r19
- (no CPE)range: < 2.7.5-r20
- (no CPE)range: < 2.8.5-r2
- (no CPE)range: < 1.8.2-r4
- (no CPE)range: < 2.12.4-r34
- (no CPE)range: < 2.12.4-r34
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.13.5-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 2.14.3-r8
- (no CPE)range: < 0.42.0-r4
- (no CPE)range: < 1.14.2-r22
- (no CPE)range: < 0.6.1-r14
- (no CPE)range: < 1.42.2-r9
- (no CPE)range: < 0.11.1-r8
- (no CPE)range: < 0.3.0-r14
- (no CPE)range: < 1.29.3-r2
- (no CPE)range: < 0.8.11-r1
- (no CPE)range: < 0.50.18-r18
- (no CPE)range: < 1.130.0-r4
- (no CPE)range: < 1.4.3-r1
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 2.11.7-r11
- (no CPE)range: < 2.12.3-r15
- (no CPE)range: < 2.13.6-r2
- (no CPE)range: < 2.9.14-r4
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 26.4.3-r0
- (no CPE)range: < 3.11.14-r3
- (no CPE)range: < 5.23.6-r3
- (no CPE)range: < 0.15.0-r5
- (no CPE)range: < 0.15.0-r5
- (no CPE)range: < 0.15.0-r5
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 1.40.9-r1
- (no CPE)range: < 1.41.1-r9
- (no CPE)range: < 0.69.3-r12
- (no CPE)range: < 0.30.1-r6
- (no CPE)range: < 0.0.49-r0
- (no CPE)range: < 0.0.49-r0
- (no CPE)range: < 0.74.2-r6
- (no CPE)range: < 2.1.15-r12
- (no CPE)range: < 3.20.2
- (no CPE)range: < 3.20.2
- (no CPE)range: < 4.1.4
- (no CPE)range: < 3.20.2-1.1
- (no CPE)range: < 4.1.4-2.1
- (no CPE)range: < 3.20.2-150000.1.71.2
- (no CPE)range: < 3.20.2-150000.1.71.2
- (no CPE)range: < 3.20.2-150000.1.71.2
Patches
Vulnerability mechanics
References
5- github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436nvdPatchWEB
- github.com/advisories/GHSA-hr2v-4r36-88hrghsaADVISORY
- github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hrnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35206ghsaADVISORY
- github.com/helm/helm/releases/tag/v4.1.4nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.