Helm Kubernetes Package Manager Exposed to Critical Path Traversal Vulnerability (CVE-2026-35206)

A critical path traversal vulnerability in the Helm Kubernetes package manager allows a maliciously crafted chart to write files outside the intended directory during an untar operation. The flaw, tracked as CVE-2026-35206, affects Helm versions <=3.20.1 and <=3.20.2, and is addressed in the latest security update to v3.20.2. This vulnerability is triggered specifically when using the `helm pull --untar` command, which is a common workflow for developers and CI/CD pipelines to fetch and extract chart packages.

The security advisory from the Helm project warns that a specially designed chart can exploit this flaw to write its contents to the immediate output directory, potentially leading to arbitrary file writes on the host system. This type of vulnerability is a classic security risk in archive handling, where insufficient validation of file paths within a tarball can be weaponized to overwrite critical system files or deploy malicious payloads. The update patches this path traversal issue, closing a significant attack vector for any system or pipeline that automates the pulling and unpacking of Helm charts from external or untrusted sources.

This vulnerability places immediate pressure on DevOps and platform engineering teams to patch their Helm installations. The risk is particularly acute for automated deployment environments where `helm pull` is integrated into build scripts. Failure to update could leave Kubernetes clusters and their underlying nodes exposed to compromise through a trusted package management tool. The advisory underscores the persistent security challenges in the cloud-native toolchain, where a single flaw in a foundational utility like Helm can have cascading effects across entire infrastructure stacks.