CVE-2026-35206

medium Red Hat
CVSS v3 Base Score
4.4
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
EPSS Score
0.0%
Exploitation probability in 30 days
Top 100% most likely to be exploited
Attack Characteristics
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
None
Integrity
Low
Availability
Low
Published: April 9, 2026 (91 days ago)
Last Modified: April 9, 2026
Vendor: Red Hat
Source: REDHAT

Description

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

CWE

CWE-22

Affected Products

Red Hat Advanced Cluster Security 4

References