Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, Helm will install plugins missing provenance (`.prov` file) when signature verification is required. ### Impact The bug allows plugin authors to omit provenance (signing) data from plugins, bypassing plugin signature verification upon plugin install/update. Notably, plugin hooks will be executed as designed on the installed plugin, enabling a malicious plugin to execute arbitrary code. ### Patches This issue has been patched in Helm v4.1.4 Installing/updating a plugin with missing provenance will error if signature verification is required. ### Workarounds Users may manually validate that a plugin archive is not missing provenance data (`.prov` file) before installation. Source Code Location: https://github.com/helm/helm Affected Packages: - go:helm.sh/helm/v4, affected >= 4.0.0, <= 4.1.3, patched in 4.1.4 CWEs: - CWE-636: Not Failing Securely ('Failing Open') CVSS: - CVSS_V4: score 8.4, CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N References: - https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7 - https://nvd.nist.gov/vuln/detail/CVE-2026-35205 - https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f - https://github.com/helm/helm/releases/tag/v4.1.4 - https://helm.sh/docs/topics/provenance/#the-provenance-file - https://github.com/advisories/GHSA-q5jf-9vfq-h4h7