Cleartext Storage Vulnerability in Puppet Resource API by Puppet
CVE-2026-8804

6.7MEDIUM

Key Information:

Vendor

Perforce

Vendor
CVE Published:
3 July 2026

What is CVE-2026-8804?

The Puppet Resource API vulnerability allows sensitive information, such as passwords, to be inadvertently stored in cleartext within the agent's local transaction state cache. This occurs due to the failure to preserve the sensitive flag on parameters defined via the resource-api, posing a serious security risk. All versions of the resource_api module from 1.5.0 to 1.9.1, as well as version 2.0.0, are affected. The issue has been addressed in resource_api versions 1.9.2 and 2.0.1, which are included in Puppet Core 8.20.0 and Puppet Enterprise versions 2023.8.10 and 2025.11.0.

Affected Version(s)

Puppet Core 8.11.0 <= 8.19.0

Puppet Core 8.0.0 <= 8.10.0

Puppet Enterprise 2023.8.0 <= 2023.8.9

References

CVSS V4

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.