Home

Description

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

PUBLISHED Reserved 2026-05-18 | Published 2026-07-03 | Updated 2026-07-06 | Assigner Perforce




MEDIUM: 6.7CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L

Problem types

CWE-313 Cleartext storage in a file or on disk

CWE-312 Cleartext storage of sensitive information

Product status

Default status
unaffected

8.11.0 (custom)
affected

8.0.0 (custom)
affected

8.20.0 (custom)
unaffected

Default status
unaffected

2023.8.0 (custom)
affected

2025.0.0 (custom)
affected

2023.8.10 (custom)
unaffected

2025.11.0 (custom)
unaffected

References

portal.perforce.com/...e-information-for-puppet-resource-api

cve.org (CVE-2026-8804)

nvd.nist.gov (CVE-2026-8804)

Download JSON