{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35206", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-09T21:02:13.594Z", "dateUpdated": "2026-04-14T14:45:12.096Z"}, "containers": {"cna": {"title": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr"}, {"name": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436", "tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436"}, {"name": "https://github.com/helm/helm/releases/tag/v4.1.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/releases/tag/v4.1.4"}], "affected": [{"vendor": "helm", "product": "helm", "versions": [{"version": ">= 4.0.0, < 4.1.4", "status": "affected"}, {"version": "< 3.20.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:02:13.594Z"}, "descriptions": [{"lang": "en", "value": "Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4."}], "source": {"advisory": "GHSA-hr2v-4r36-88hr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:45:03.230344Z", "id": "CVE-2026-35206", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:45:12.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35206", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:45:03.230344Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:45:08.743Z"}}], "cna": {"title": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment", "source": {"advisory": "GHSA-hr2v-4r36-88hr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "helm", "product": "helm", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.1.4"}, {"status": "affected", "version": "< 3.20.2"}]}], "references": [{"url": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr", "name": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436", "name": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/helm/helm/releases/tag/v4.1.4", "name": "https://github.com/helm/helm/releases/tag/v4.1.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:02:13.594Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35206", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:45:12.096Z", "dateReserved": "2026-04-01T18:48:58.937Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T21:02:13.594Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4."}], "id": "CVE-2026-35206", "lastModified": "2026-04-13T15:02:27.760", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T21:16:09.993", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436"}, {"source": "security-advisories@github.com", "url": "https://github.com/helm/helm/releases/tag/v4.1.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/helm/helm: Helm: Files written to unexpected directory via specially crafted Chart", "id": "2457151", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457151"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Helm, a package manager for Kubernetes. A remote attacker could exploit this vulnerability by providing a specially crafted Chart to the `helm pull --untar` command. This would cause the Chart's contents to be written to an unintended directory, potentially overwriting existing files or placing malicious files in an accessible location, leading to data integrity and availability issues."], "name": "CVE-2026-35206", "package_state": [{"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "rhacs-eng/release-main", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "rhacs-eng/release-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "rhacs-eng/release-roxctl", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "rhacs-eng/release-scanner-v4", "product_name": "Red Hat Advanced Cluster Security 4"}], "public_date": "2026-04-09T21:02:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35206\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35206\nhttps://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436\nhttps://github.com/helm/helm/releases/tag/v4.1.4\nhttps://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr"], "threat_severity": "Moderate"}