CVE-2026-8804
MediumCVSS 6.7Summary
A vulnerability in Puppet resource_api (shipped with Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) fails to preserve the sensitive flag on parameters defined via the resource-api, causing values like passwords to be stored in cleartext in the agent's local transaction state cache.
Risk Assessment
The organization risks exposure of sensitive credentials (e.g., passwords) stored in cleartext in the Puppet agent's local cache, potentially leading to unauthorized system access.
Recommendation
Immediately update the puppet resource_api module to version 1.9.2 or 2.0.1 (or later), and upgrade Puppet Core to 8.20.0 or Puppet Enterprise to 2023.8.10 / 2025.11.0.
Original NVD description (English source)
Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

