CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-8804

mediumcovered by 2 sourcesfirst seen 2026-07-03
Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

CSIRTS triage

What
A local attacker can exploit a vulnerability in Puppet to disclose information.
Who is affected
Local deployments of Puppet are affected.
Urgency
Remediation is medium urgency as it allows for information disclosure.
Action
Apply the latest security updates for Puppet.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-8804

Get an email if CVE-2026-8804 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-8804

CVE.org record

Embed the live status

CVE-2026-8804 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-8804 status](https://www.csirts.com/badge/CVE-2026-8804)](https://www.csirts.com/cve/CVE-2026-8804)