CVE-2026-8804 PUBLISHED

Cleartext Storage of Sensitive Information for Puppet Resource API

Assigner: Perforce
Reserved: 18.05.2026 Published: 03.07.2026 Updated: 03.07.2026

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L
CVSS Score: 6.7

Product Status

Vendor Perforce
Product Puppet Core
Versions Default: unaffected
  • affected from 8.11.0 to 8.19.0 (incl.)
  • affected from 8.0.0 to 8.10.0 (incl.)
  • Version 8.20.0 is unaffected
Vendor Perforce
Product Puppet Enterprise
Versions Default: unaffected
  • affected from 2023.8.0 to 2023.8.9 (incl.)
  • affected from 2025.0.0 to 2025.10.0 (incl.)
  • Version 2023.8.10 is unaffected
  • Version 2025.11.0 is unaffected

Solutions

Upgrade to Puppet Core 8.20.0, PE 2023.8.10, or PE 2025.11.0

References

Problem Types

  • CWE-313 Cleartext storage in a file or on disk CWE
  • CWE-312 Cleartext storage of sensitive information CWE