Cleartext Storage Vulnerability in Puppet Resource API by Puppet
CVE-2026-8804
6.7MEDIUM
What is CVE-2026-8804?
The Puppet Resource API vulnerability allows sensitive information, such as passwords, to be inadvertently stored in cleartext within the agent's local transaction state cache. This occurs due to the failure to preserve the sensitive flag on parameters defined via the resource-api, posing a serious security risk. All versions of the resource_api module from 1.5.0 to 1.9.1, as well as version 2.0.0, are affected. The issue has been addressed in resource_api versions 1.9.2 and 2.0.1, which are included in Puppet Core 8.20.0 and Puppet Enterprise versions 2023.8.10 and 2025.11.0.
Affected Version(s)
Puppet Core 8.11.0 <= 8.19.0
Puppet Core 8.0.0 <= 8.10.0
Puppet Enterprise 2023.8.0 <= 2023.8.9
