Skip to main content

Puppet resource_api CVE-2026-8804

| EUVDEUVD-2026-41516 MEDIUM
Cleartext Storage in a File or on Disk (CWE-313)
2026-07-03 Perforce GHSA-rh7m-r3xm-v5xg
6.7
CVSS 4.0 · Vendor: Perforce
Share

Severity by source

Vendor (Perforce) PRIMARY
6.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.4 MEDIUM

Local filesystem read of cache requires high-privilege access; only confidentiality is impacted - no integrity or availability impact from this flaw alone.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Perforce).

CVSS VectorVendor: Perforce

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 08:21 vuln.today

DescriptionCVE.org

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

AnalysisAI

Cleartext storage of sensitive parameters in Puppet's resource_api module (versions 1.5.0-1.9.1 and 2.0.0) causes passwords and other credential values to persist unmasked in the Puppet agent's local transaction state cache. The sensitive flag - intended to prevent exactly this exposure - is silently dropped during resource_api parameter processing, meaning any resource type built on this API and declaring sensitive parameters leaks those values to the cache filesystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain high-privilege local access to Puppet agent host
Delivery
Identify resource_api-backed resource types managing sensitive parameters
Exploit
Locate agent transaction state cache on filesystem
Execution
Read cleartext credential values from cache
Impact
Use extracted credentials for lateral movement to managed services

Vulnerability AssessmentAI

Exploitation Exploitation requires high-privilege local access to the Puppet agent host with sufficient filesystem permissions to read the agent's transaction state cache directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:H/UI:N/VC:H) correctly characterizes this as a local, high-privilege issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with existing high-privilege or root-level local access to a Puppet agent node navigates to the agent's transaction state cache directory and reads the cached catalog or state file, extracting passwords or API tokens that were managed by resource_api-backed resource types. The recovered credentials are then used to authenticate to downstream services - databases, cloud providers, or other infrastructure - that Puppet manages on that node. …
Remediation Upgrade to puppet resource_api 1.9.2 (for the 1.x line) or 2.0.1 (for the 2.x line), which are bundled with Puppet Core 8.20.0 and Puppet Enterprise 2023.8.10 or PE 2025.11.0 respectively. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy