🔐 CVE Alert

CVE-2026-8804

UNKNOWN 0.0

Cleartext Storage of Sensitive Information for Puppet Resource API

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

CWE CWE-313 CWE-312
Vendor perforce
Product puppet core
Published Jul 3, 2026
Last Updated Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for perforce puppet core

Be the first to know when new unknown vulnerabilities affecting perforce puppet core are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Perforce / Puppet Core
8.11.0 ≤ 8.19.0 8.0.0 ≤ 8.10.0
Perforce / Puppet Enterprise
2023.8.0 ≤ 2023.8.9 2025.0.0 ≤ 2025.10.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
portal.perforce.com: https://portal.perforce.com/s/cve/a91Qi000003511lIAA/cve20268804-cleartext-storage-of-sensitive-information-for-puppet-resource-api