CVE-2026-8804
Received Received - Intake

Puppet Resource_API Sensitive Data Exposure Vulnerability

Vulnerability report for CVE-2026-8804, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Perforce

Description

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_apiΒ 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
puppet resource_api From 1.5.0 (inc) to 1.9.1 (inc)
puppet resource_api 2.0.0
puppet resource_api 1.9.2
puppet resource_api 2.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-313 The product stores sensitive information in cleartext in a file, or on disk.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Puppet resource_api (used in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) is that it does not preserve the sensitive flag on parameters defined via the resource-api.

Because of this, sensitive values such as passwords are stored in cleartext within the agent's local transaction state cache.

This issue affects all versions of the resource_api module between 1.5.0 and 1.9.1, as well as version 2.0.0, and was fixed in versions 1.9.2 and 2.0.1.

Impact Analysis

This vulnerability can lead to sensitive information, such as passwords, being stored in cleartext on the local machine running the Puppet agent.

If an attacker gains access to the agent's local transaction state cache, they could retrieve these sensitive values, potentially compromising system security.

Mitigation Strategies

To mitigate this vulnerability, upgrade the puppet resource_api module to version 1.9.2 or 2.0.1 or later.

Ensure you are running Puppet Core 8.20.0 or later, or Puppet Enterprise versions 2023.8.10 or 2025.11.0 or later, where the fix has been applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart