PE 2025.11

Released June 2026

Puppet Enterprise 2025.11 Puppet Enterprise 2025.11 delivers key improvements to certificate management, patching performance, and security. This release introduces optional database-backed CA storage with new API endpoints, enhances Advanced Patching performance and usability, adds PostgreSQL 17 support, strengthens connection security with host key verification, and includes updates to RBAC, platform support, and a broad set of bug fixes and security patches.

Puppet Enterprise® (PE and PE Advanced) lifecycle update

Puppet is transitioning its Puppet Enterprise® software support offerings from the “Long Term Support” and “Short Term Support” model to the "Latest" and "Latest - 1" model starting in August 2026. To learn more, see Puppet Enterprise Platform Support Lifecycle.

Puppet Enterprise (PE) 2025 is our leading-edge PE release stream (also referred to as STS).
To access the release notes for the Puppet® platform, including Puppet agent, Puppet Server, Facter, and PuppetDB, see Platform release notes.

New features

Certificate Authority (CA): Database-backed storage

Puppet Enterprise now supports storing Certificate Authority (CA) data in a PostgreSQL database instead of the file system. Database-backed CA storage improves performance and reliability by reducing file system contention and centralizing CA state. It also introduces new capabilities for managing CA data, including API-driven operations and enhanced backup and recovery handling.

In PE 2025.11, database-backed CA storage is optional and can be enabled using the CA migration workflow.

Certificate Authority (CA) API: New endpoints

PE2025.11 includes the following new endpoints under /puppet-ca/v1/:

  • PUT /puppet-ca/v1/infra-nodes: Replace the infrastructure node list.

  • GET /puppet-ca/v1/autosign-rules: List autosign rules.

  • PUT /puppet-ca/v1/autosign-rules: Replace the autosign rule list.

  • POST /puppet-ca/v1/autosign-rules: Add an autosign rule.

  • DELETE /puppet-ca/v1/autosign-rules/{rule}: Delete an autosign rule.

  • GET /puppet-ca/v1/keys: List CA entities and key metadata.

  • PUT /puppet-ca/v1/keys/{id}: Import a CA private key.

  • DELETE /puppet-ca/v1/keys/{id}: Delete a CA private key.

  • POST /puppet-ca/v1/keys/{id}/export: Export a CA private key to disk.

  • POST /puppet-ca/v1/entities: Import or update a CA entity.

  • DELETE /puppet-ca/v1/entities/{id}: Delete a CA entity.

  • POST /puppet-ca/v1/passphrase/rotate: Rotate the CA passphrase.

  • POST /puppet-ca/v1/serial/fast-forward: Fast-forward the CA serial counter.

  • POST /puppet-ca/v1/migration/import: Import CA state into the database (or perform a delta sync).

  • POST /puppet-ca/v1/migration/export: Export CA state to the file system.

  • POST /puppet-ca/v1/migration/cleanup-db: Remove all CA data from the database.

  • GET /puppet-ca/v1/migration/status: Retrieve migration status.

Enhancements

PostgreSQL 17 support for managed and unmanaged installations

Puppet Enterprise now supports PostgreSQL 17.

  • PE-managed installations: PostgreSQL is automatically upgraded from version 14 to 17 as part of the PE 2025.11 upgrade process, with no manual steps required.

  • Unmanaged (external) PostgreSQL: PostgreSQL 17 is now a supported version. Ensure your external database meets the supported version requirements before upgrading to PE 2025.11.

SSH and NETCONF connections now support host key fingerprint verification

PE now captures and stores host key fingerprints on the first connection to an SSH or NETCONF node, and verifies subsequent connections against the stored fingerprint. This improves connection security by ensuring that nodes are validated before communication. The captured fingerprint is visible in the node’s connection details in the console. To use this with NETCONF targets, install version 1.1.0 of the puppetlabs-edgeops module. For more information, see Install the EdgeOps module.

Infra Assistant model updates

In PE 2025.11, Infra Assistant has been updated to use newer GPT‑5 series models. The Infra Assistant orchestrator now uses gpt-5.4-mini, and the PuppetDB sub-agent now uses gpt-5.4. These updates improve response quality, reasoning, and consistency when processing infrastructure queries, including those involving PQL generation.

Advanced Patching: Patch group enrollment concurrency controls

Patch group enrollment performance has been improved with new concurrency controls.

When you create or update a patch group, Puppet Enterprise runs a Puppet agent on each node to apply patch group resources. The speed of this process is limited by the orchestrator’s global concurrency setting (global_concurrent_compiles), which defaults to 8 and can significantly slow enrollment for large groups.

This release introduces a new optional setting, puppet_run_concurrency, which allows you to control how many nodes the patching service processes concurrently during enrollment.

You can configure this setting in one of the following ways:

  • Add puppet_enterprise::trapperkeeper::patching::puppet_run_concurrency in Hiera.

  • Set the puppet_run_concurrency parameter in the PE classifier.

This setting works alongside global_concurrent_compiles:

  • global_concurrent_compiles sets the maximum number of catalog compilations across all orchestrator jobs.

  • puppet_run_concurrency limits how many nodes the patching job submits at once.

To improve performance for large patch groups:

  • Increase global_concurrent_compiles to raise overall system capacity.

  • Set puppet_run_concurrency to control patching-specific workload.

Advanced Patching: Improved schedule validation and visibility

Enhanced patch job creation and editing workflows to validate schedules against assigned maintenance and blackout windows. These updates improve validation for immediate and scheduled jobs, provide more explicit warnings when runs may be skipped, and ensure more predictable scheduling behavior. Together, these changes reduce the risk of unintended or skipped executions.

Advanced Patching: Configurable preset timeout and reboot values

Added support for administrator-configured preset timeout and reboot values for patch jobs. These values are applied by default when not explicitly specified at job creation, reducing repetitive configuration, and improving consistency across environments. Users can view and override these values in the UI, while API-created jobs apply preset values when parameters are not provided, ensuring consistent behavior across workflows.

Advanced Patching: Improved cron scheduling consistency

Standardized cron schedule validation and behavior across patch jobs, maintenance windows, and blackout windows. Enhancements include clearer UI feedback for invalid expressions, improved human-readable schedule interpretation, and more reliable execution aligned with user-defined schedules.

Advanced Patching: Post-patch Puppet run for fact refresh

Added a configurable option to run Puppet after patch jobs complete to refresh pe_patch facts. When enabled, a Puppet run is triggered automatically on successfully patched nodes, allowing patch status to update shortly after completion. When disabled, existing behavior is unchanged. This setting is managed by administrators at the system level and applies to all patch jobs, allowing environments to balance faster status updates with increased orchestrator activity and system load.

Advanced Patching: Usability improvements

  • Improved visibility of maintenance and blackout windows

    Added collapsible sections to the Create patch job, Edit scheduled patch job, and Schedule workflows to display maintenance and blackout windows associated with the selected patch group.

  • Improved handling of scheduling conflicts

    Introduced modals in the patch job scheduling workflow to surface conflicts with maintenance windows, blackout windows, or both, and guide users to resolve issues by returning to the scheduling screen.

  • Enhanced error handling and retry workflows

    Refined the retry experience for patch group creation failures by routing retry actions through a modal and providing consistent feedback for both initial failures and subsequent retry attempts.

  • Improved clarity in patch job workflows

    Updated UI text across patch job creation and scheduling screens to better describe target node scope and clarify how scheduling conditions are evaluated at run time.

Classifier RBAC: Tag-based permissions for node groups

PE 2025.11 introduces a new RBAC permission to control access to classifier groups based on tags. You can now restrict which users can view tagged node groups, ensuring that only accounts with permission to edit tags can see groups associated with those tags.

The following permission has been added:

  • node_groups:edit_tags:<instance>

By default, the Administrators role is granted node_groups:edit_tags:*.

This enhancement provides more granular control over node group visibility in the classifier.

Classifier API: New endpoints

PE 2025.11 introduces new classifier API endpoints for managing and retrieving tags on node groups.

The following endpoints have been added:

  • POST /v1/commands/add-tags: Add one or more tags to specified node groups.

  • POST /v1/commands/remove-tags: Remove one or more tags from specified node groups.

  • GET /v1/tags: Retrieve a list of existing tags.

The add and remove endpoints accept a list of group IDs and tags. A node group can have multiple tags. The add and remove endpoints require the node_groups:edit_tags:<instance> RBAC permission.

The GET /v1/tags endpoint returns tags in a deterministic order and is available to any authenticated user.

Activity service API: New endpoints

PE 2025.11 includes the following new endpoints.

Callback subscription management:

POST /v1/subscriptions: Create a subscription to receive activity event callbacks.

GET /v1/subscriptions: List existing subscriptions, with optional filtering by service_id (max 255 characters).

GET /v1/subscriptions/{id}: Fetch a subscription by UUID.

DELETE /v1/subscriptions/{id}: Delete a subscription.

Subscriptions enable external services to receive real-time activity event notifications via signed HTTP POST requests, with optional filtering by service, subject, object, and event type.

Platform support

Agent platforms added

This release adds support for the Puppet agent on the following operating system platforms:

  • macOS 26 ARM

  • macOS 26 x86_64

Deprecations and removals

Agent platforms removed

This release removes support for the following operating system platforms:

  • Ubuntu 18.04 amd64

  • Ubuntu 18.04 aarch64

  • Ubuntu 20.04 amd64

  • Ubuntu 20.04 aarch64

Resolved issues

Plans now display when permissions are set to Run plans (all) on specific node group

Plans were not visible in the PE console when users had the following permission configuration:

Plans > Run Plans > Plan: All Plans, permitted on a specific node group

With this configuration, no plans appeared when attempting to run a plan in the console.

This issue is resolved in PE 2025.11.

PE console log-in issue with LDAP group attributes containing literal question marks fixed

In Puppet Enterprise versions earlier than 2023.8.10 and 2025.11, literal question marks in LDAP group attributes could prevent users from logging in to the console. This issue is resolved in Puppet Enterprise 2023.8.10 and 2025.11.

Creation of patch group no longer fails

In PE 2025.7-2025.10, creating patch groups in the console failed in default installations. This issue is resolved in PE 2025.11.

Patch groups no longer become unrecoverable after failure

In versions PE 2025.5-2025.10, patch groups could enter a failed state with no available retry or recovery option, preventing users from correcting the issue or continuing the operation. This issue is resolved in PE 2025.11.

Patch job progress now displays node progress correctly

In previous versions of PE 2025, the patch job details page did not update node progress as each node completed. Instead, all nodes appeared at once after the final node finished, preventing users from viewing progress in real time. This issue is resolved in PE 2025.11.

'Add window' button no longer disabled incorrectly when editing patch groups

In PE 2025.7-2025.10, the Add window button for maintenance and blackout windows was disabled after adding a window when editing a patch group, preventing additional windows from being added. This issue is resolved in PE 2025.11.

Discrepancy between the PE console and backend cron parsing fixed

An inconsistency between the cron expression parser used in the PE console and the Quartz scheduler used by backend services is resolved in PE 2025.11.

Previously, the PE console relied on a client-side parser to interpret cron expressions and generate human-readable schedule descriptions, which could differ from the Quartz scheduler used by the backend for validation and execution.

This issue could result in cron expressions being incorrectly flagged or described in the console, and, in some cases, schedule descriptions not matching actual execution.

The PE console now uses a Quartz-compatible cron parser, ensuring consistent behavior across the console, middleware, and backend scheduler.

Activity service API v2 date range filtering returns events for all services

In PE versions prior to this release, the activity service API v2 date range filter returned results only for classifier events. Events from RBAC, PE console, and Code Manager were not included when filtering by date, even if they fell within the specified range. This issue is resolved in PE 2025.11 and 2023.8.10.

File resources with filenames containing spaces now deploy successfully

In PE 2025.10, file deployments using Puppet file server paths (puppet:/// URLs) failed when filenames contained spaces due to an issue with file-sync handling of encoded file paths. This caused agent runs to fail and required manual cleanup when files were renamed. This issue is resolved in PE 2025.11.

Infra Assistant no longer reports incorrect Puppet Enterprise version

In previous versions of PE 2025, Infra Assistant could incorrectly identify the installed Puppet Enterprise version by relying on component and package versions instead of the pe_version fact. This could result in incorrect version reporting, documentation links, and guidance. This issue is resolved in PE 2025.11.

Excessive RBAC token validation errors during plan execution fixed

In PE 2025.6–2025.10, when pe-plan-runner was enabled, orchestration activity could generate repeated Failure validating RBAC token: Authentication token has been revoked errors in pe-orchestration-services logs. This resulted in excessive error log noise despite no functional impact to plan execution. This issue is resolved in PE 2025.11.

Puppet Enterprise installation failure with restrictive umask fixed

In previous versions of PE 2025, Puppet Enterprise installation could fail on systems with a restrictive umask (for example, 077 set in /etc/login.defs). This caused directories under /opt/puppetlabs to be created without execute permissions, preventing services such as PostgreSQL from initializing and resulting in installation errors. This issue is resolved in PE 2025.11.

Puppet Server and orchestrator JRuby tmp directory accumulation fixed

In previous versions of PE, JRuby temporary directories (jruby-<pid>) created under the JVM temporary directory were not consistently cleaned up when services exited uncleanly (for example, due to OOM or SIGKILL). Over time, these directories could accumulate in /opt/puppetlabs/server/apps/puppetserver/tmp and the equivalent orchestrator location, leading to increased disk usage and potential file system exhaustion. This is resolved in PE 2025.11.

Security fixes

The following CVEs were fixed in PE:

  • CVE-2026-6732

  • CVE-2026-42246

  • CVE-2026-3784

  • CVE-2026-3805

  • CVE-2026-3783

  • CVE-2026-1965

  • CVE-2026-31790

  • CVE-2026-28387

  • CVE-2026-28388

  • CVE-2026-28389

  • CVE-2026-28390

  • CVE-2026-31789

  • CVE-2026-39324

  • CVE-2026-34785

  • CVE-2026-34827

  • CVE-2026-6429

  • CVE-2026-7168

  • CVE-2026-6276

  • CVE-2026-6253

  • CVE-2026-7009

  • CVE-2026-5598

  • CVE-2026-33870

  • CVE-2026-41417

  • CVE-2026-42198

  • CVE-2026-42246

  • CVE-2026-42258

  • CVE-2026-42245

  • CVE-2026-42257

  • CVE-2026-42256

  • CVE-2026-42945

  • CVE-2026-41907

  • CVE-2026-33937

  • CVE-2026-33940

  • CVE-2026-33938

  • CVE-2026-33939

  • CVE-2026-33941

  • CVE-2026-33916

  • CVE-2026-27820

  • CVE-2026-34282

  • CVE-2026-45363

  • CVE-2026-33870

  • CVE-2026-45447

  • CVE-2026-34182

  • CVE-2026-45445

  • CVE-2026-7383

  • CVE-2026-9076

  • CVE-2026-34180

  • CVE-2026-42766

  • CVE-2026-45446

  • CVE-2026-42767

  • CVE-2026-47240

  • CVE-2026-47241

  • CVE-2026-47242

  • CVE-2026-49342

  • CVE-2026-54904

  • CVE-2026-6637

  • CVE-2026-6473

  • CVE-2026-6477

Additional security fixes:

  • WS-2026-0003: Fixed a jackson-core vulnerability that could cause a denial-of-service (DoS) condition.