View all Vulnerabilities

CVE-2026-35205

Improper Verification of Cryptographic Signature
Affects
Helm (Kubernetes package manager), helm.sh/helm/v4; reaches Ingress NGINX Controller via the bundled Helm dependency
in
Ingress NGINX
No items found.
Versions
Helm 4.0.0 through 4.1.3 (and Ingress NGINX builds that ship them)

Overview

Helm is the Cloud Native Computing Foundation graduated package manager for Kubernetes. Plugins are arbitrary executables resolved through helm plugin install, and Helm supports provenance files (.prov) so that plugin authors can sign releases and operators can verify them at install time.

A fail-open vulnerability (CVE-2026-35205) has been identified in Helm 4 plugin verification. When a user installs or upgrades a plugin with signature verification enabled, Helm proceeds with the installation even when the plugin's .prov provenance file is absent. The verification step does not return an error, so any unsigned plugin is treated as if it had passed verification and the plugin's install hooks run with the operator's privileges.

Per OWASP: an Insecure Design defect arises when a security control is specified or implemented in a way that allows the protected operation to succeed under conditions the control was meant to prevent. Failing open when a required signature artifact is missing is the canonical example for verification controls.

This issue affects Helm versions 4.0.0 through 4.1.3, and reaches Ingress NGINX Controller deployments through the helm.sh/helm/v4 module that ships in the controller's build graph. HeroDevs has resolved it in NES for Ingress NGINX 1.15.2, the first commercial extended-support release after the Kubernetes project's March 2026 retirement of Ingress NGINX. CVE-2026-35205 ships in the same Helm 4.1.4 release as CVE-2026-35204 (path traversal); the two compose into a complete unsigned-plugin-to-arbitrary-write chain.

Why this matters for Ingress NGINX deployments

None of the CVEs HeroDevs resolved in NES for Ingress NGINX 1.15.2 live in ingress-nginx code itself. They live in the dependencies the controller ships with: the Go toolchain, Helm, and a small set of Go modules. Per the Kubernetes project's November 2025 retirement announcement, best-effort upstream maintenance ended in March 2026, and there will be no further releases or security patches for any vulnerability discovered in the project or its dependencies.

That last clause is the operational problem. Helm's patch cadence does not stop because Ingress NGINX retired; CVE-2026-35204 and CVE-2026-35205 both landed in Helm 4.1.4 within a few days of the Ingress NGINX EOL deadline. Without a maintained Ingress NGINX build that picks up Helm 4.1.4, every cluster running upstream ingress-nginx is shipping a controller binary that links a Helm version with a known signature-verification bypass.

NES for Ingress NGINX 1.15.2 is built on upstream ingress-nginx v1.15.1 with the Helm dependency upgraded to 4.1.4. The container image and Helm chart are drop-in replacements for the upstream v1.15.1 build.

Details

Module Info

  • Product: Helm (Kubernetes package manager); transitive dependency of Ingress NGINX Controller
  • Affected components: helm plugin install and helm plugin update verification path
  • Affected versions: Helm 4.0.0 through 4.1.3; Ingress NGINX builds that include those Helm versions in their build graph
  • Upstream GitHub repository: <https://github.com/helm/helm>
  • Published artifacts (NES):
  • Distribution channels: registry.nes.herodevs.com, HeroDevs Helm chart repository
  • Fixed in:

Vulnerability Info

This High-severity vulnerability is found in the plugin verification path of Helm 4 and reaches every binary that links the helm.sh/helm/v4 module, including Ingress NGINX Controller builds prior to NES 1.15.2.

Helm plugin verification is intended to refuse installation of any plugin that cannot be cryptographically attested. The expected flow loads the plugin archive, locates the adjacent provenance file (.prov) that contains a detached signature over the archive's SHA-256 hash, validates the signature against a trusted keyring, and aborts with a verification error if any of those steps fails.

The flaw is that the verification path treats a missing .prov file as a soft condition rather than a hard failure. When a user invokes helm plugin install with verification required and supplies a plugin source that has no provenance file, Helm logs internally and proceeds to install the plugin as though verification succeeded. Because Helm runs plugin hooks on install, the unsigned plugin's install hook executes immediately with the privileges of the user running helm.

Threat model for Ingress NGINX clusters: any operator workflow, CI runner, or admin workstation that installs Helm plugins as part of the Ingress NGINX deployment lifecycle is exposed. The operator's primary defense, signature verification via --verify, is silently disabled by the bug, so an organization that mandates verification still installs unsigned code. Plugin install hooks run as the invoking user; on a CI runner or admin workstation that often grants the attacker access to kubeconfig credentials, cloud provider tokens, and pipeline secrets reachable from the helm process. Combined with CVE-2026-35204 (path traversal in the same Helm 4.1.4 fix window), the attacker also gets arbitrary file write.

When successfully exploited, this vulnerability can lead to:

  • Arbitrary code execution on the host that runs helm plugin install or helm plugin update
  • Theft of kubeconfigs, cloud credentials, and CI secrets reachable by the helm process
  • Lateral movement into Kubernetes clusters managed by the compromised operator account

Proof Of Concept

A reference reproduction is documented in advisory GHSA-q5jf-9vfq-h4h7 and the upstream fix at <https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f>.

Mitigation

OSS Users

Users of upstream Helm and Ingress NGINX should apply one of the following mitigations:

  • Upgrade Helm to 4.1.4 or later on every workstation, CI runner, and bastion that runs helm plugin install or helm plugin update.
  • Until upgrade is possible, do not rely on --verify as a hard control: only install plugins from sources you have separately attested.
  • Audit currently installed plugins (helm plugin list) and remove any that were installed from untrusted or unverified sources during the affected window.
  • For Ingress NGINX specifically, no upstream release will rebase against Helm 4.1.4 because the project retired in March 2026. Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched Ingress NGINX build.

NES Customers

HeroDevs Never Ending Support for Ingress NGINX has resolved CVE-2026-35205 in NES for Ingress NGINX 1.15.2 by upgrading the bundled helm.sh/helm/v4 module from 4.1.3 to 4.1.4. The release ships as a drop-in replacement for upstream ingress-nginx v1.15.1:

  • Pull the patched container image: registry.nes.herodevs.com/neverendingsupport/ingress-nginx-controller:v1.15.1-nes-1.15.2
  • Or upgrade via the public Helm chart: HeroDevs/ingress-nginx --version 0.0.2 (helm-charts documentation)
  • VEX statements ship with the release so scanners that consume OpenVEX or CycloneDX VEX surface the patched status instead of leaving CVE-2026-35205 as an open finding.

Compliance impact

Ingress NGINX sits at the edge of the cluster, which means every CVE flagged against the controller binary tends to land in front of compliance reviewers, audit reports, and customer questionnaires. Several frameworks make this acute:

  • The EU Cyber Resilience Act's Article 14 reporting obligations begin September 11, 2026; "the upstream project no longer ships fixes" is not a valid answer.
  • DORA's ICT third-party risk requirements have been in force since January 2025.
  • PCI DSS 4.0 expects continuous evidence that components receive security patches.
  • FedRAMP authorizations carry continuous monitoring obligations.

The NES release ships a documented patch trail plus VEX statements that scanners consume programmatically.

Taking Action

If your operators or pipelines run helm plugin install --verify under the assumption that unsigned plugins will be rejected, treat that assumption as broken until you have rolled out Helm 4.1.4 and re-audited the installed plugin set. The bug class (signature verification failing open on missing provenance) is exactly the case operators rely on the control to catch. For Ingress NGINX deployments specifically, the upstream project will not ship a release that picks up Helm 4.1.4: the controller retired in March 2026 and is in dependency-CVE drift. NES for Ingress NGINX 1.15.2 closes both this CVE and CVE-2026-35204 in one Helm dependency upgrade. Pull the 1.15.2 image and Helm chart per docs.herodevs.com/ingress-nginx/release-notes.

Credits

  • maru1009 (finder)
  • Helm maintainers (coordination and fix)

References

Pink arrow
Pink arrow
CVE-2026-35204
CVE-2026-35205
CVE-2026-32282
CVE-2026-40890
CVE-2024-44337
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-35205
PROJECT Affected
Helm (Kubernetes package manager), helm.sh/helm/v4; reaches Ingress NGINX Controller via the bundled Helm dependency
Versions Affected
Helm 4.0.0 through 4.1.3 (and Ingress NGINX builds that ship them)
NES Versions Affected
Published date
April 29, 2026
≈ Fix date
April 10, 2026
Fixed in
NES for Ingress NGINX
Category
Improper Verification of Cryptographic Signature
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Ingress NGINX
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.