CVE-2026-35206: Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Published Apr 9, 2026
·Updated
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Affected Software
5 affected componentsFixes available
go/helm.sh/helm/v3<=3.20.1
3.20.2
go/helm.sh/helm/v4<=4.1.3
4.1.4
Helm helm<3.20.2
Helm helm>=4.0.0<4.1.4
Microsoft cbl2 helm 3.14.2-10
Remediation
Event History
Apr 9, 2026
CVE Published
via MITRE·09:02 PM
Data Sourced
via MITRE·09:02 PM
DescriptionWeakness
Data Sourced
via NVD·09:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·09:16 PM
RemedyAffected Software
Apr 10, 2026
Advisory Published
via GitHub·03:33 PM
Data Sourced
via GitHub·03:33 PM
DescriptionWeaknessAffected Software
Apr 12, 2026
Data Sourced
via Microsoft·08:01 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·08:01 AM
Affected Software
Updated
via Microsoft·08:01 AM
DescriptionSeverity
Frequently Asked Questions
1
What is the severity of CVE-2026-35206?
CVE-2026-35206 is classified as a medium severity vulnerability.
2
How do I fix CVE-2026-35206?
To fix CVE-2026-35206, upgrade to Helm version 3.20.2 or 4.1.4.
3
What versions of Helm are affected by CVE-2026-35206?
Helm versions up to and including 3.20.1 and 4.1.3 are affected by CVE-2026-35206.
4
What type of vulnerability is CVE-2026-35206?
CVE-2026-35206 is an information disclosure vulnerability due to improper handling of Chart.yaml.
5
How does CVE-2026-35206 impact Helm users?
CVE-2026-35206 can cause unintended directory collapse while extracting Helm charts, leading to potential file overwrites.