CVE-2026-35205
HIGH7.8EPSS 0.02%Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
描述
Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, Helm will install plugins missing provenance (`.prov` file) when signature verification is required. ### Impact The bug allows plugin authors to omit provenance (signing) data from plugins, bypassing plugin signature verification upon plugin install/update. Notably, plugin hooks will be executed as designed on the installed plugin, enabling a malicious plugin to execute arbitrary code. ### Patches This issue has been patched in Helm v4.1.4 Installing/updating a plugin with missing provenance will error if signature verification is required. ### Workarounds Users may manually validate that a plugin archive is not missing provenance data (`.prov` file) before installation.
受影響套件(2)
- Bitnami/helm>= 4.0.0, < 4.1.4
- Go/helm.sh/helm/v4>= 4.0.0, < 4.1.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35205
- PATCHhttps://github.com/helm/helm
- WEBhttps://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f
- WEBhttps://github.com/helm/helm/releases/tag/v4.1.4
- WEBhttps://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7
- WEBhttps://helm.sh/docs/topics/provenance/#the-provenance-file