CVE-2026-8804 Affecting ruby-puppet-resource-api package, versions *


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.08% (1st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN12-RUBYPUPPETRESOURCEAPI-17813299
  • published4 Jul 2026
  • disclosed3 Jul 2026

Introduced: 3 Jul 2026

NewCVE-2026-8804  (opens in a new tab)

How to fix?

There is no fixed version for Debian:12 ruby-puppet-resource-api.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ruby-puppet-resource-api package and not the ruby-puppet-resource-api package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.