Helm <=3.20.1/4.1.3 Write to Wrong Dir on helm pull --untar
CVE-2026-35206 Published on April 9, 2026
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-35206 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-35206
Want to know whenever a new CVE is published for Helm? stack.watch will email you.
Affected Versions
helm:- Version >= 4.0.0, < 4.1.4 is affected.
- Version < 3.20.2 is affected.