CVE-2026-8804
Cleartext Storage of Sensitive Information for Puppet Resource API
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.
| CWE | CWE-313 CWE-312 |
| Vendor | perforce |
| Product | puppet core |
| Published | Jul 3, 2026 |
| Last Updated | Jul 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for perforce puppet core
Be the first to know when new unknown vulnerabilities affecting perforce puppet core are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Perforce / Puppet Core
8.11.0 ≤ 8.19.0 8.0.0 ≤ 8.10.0
Perforce / Puppet Enterprise
2023.8.0 ≤ 2023.8.9 2025.0.0 ≤ 2025.10.0