PE 2025.9

Released March 2026

Puppet Enterprise 2025.9 delivers key usability, performance, and security improvements, including real‑time patch run visibility, clearer patch group error handling with a retry option, enhanced orchestrator responsiveness, and new Workflow actions in the console. The release adds new API endpoints and expands support to Debian 13. Metrics API v1 is removed, and upgrades may require manual review of request‑logging.xml for sites with custom configurations. Important issues affecting Infra Assistant, patch group behavior, and browser certificate handling are resolved, and numerous security vulnerabilities are addressed to strengthen overall platform stability and security.

Puppet Enterprise® (PE and PE Advanced) lifecycle update—Puppet is transitioning its Puppet Enterprise® software support offerings from the “Long Term Support” and “Short Term Support” model to the "Latest" and "Latest - 1" model.

Starting August 6, 2026, Puppet Enterprise® will adopt a new software support model using the following nomenclature of “Latest” and “Latest - 1” that will accelerate product innovation and simplify the product lifecycle management.

What’s changing?

Under the new model:

  • Latest” series: Receives full software support and maintenance (new features, fixes, security updates) for 12 months from the date of the latest major version release.

  • “Latest - 1” series: Receives limited software support and maintenance (security updates, defect fixes, and minor changes only) for an additional 12 months after being superseded by the “Latest” version of the Puppet Enterprise® software.

The new model will replace the previous Long-Term Support (“LTS”) model, which offered up to twenty-four (24) months of limited software support and maintenance with limited feature delivery.

Impact on current release streams:

  • PE 2023.8.z series (LTS): This is the final series supported under the LTS support model. Maintenance releases will continue until August 2026, when the series reaches end of life (“EOL”). This timing coincides with the launch of the new software and support lifecycle model. Customers should begin planning upgrades to remain supported.

  • PE 2025.y series (Current “latest”): This series will continue receiving the latest updates until August 2026, when the next major PE version is released. At that point, 2025.y will transition to “Latest -1” and receive security updates, defect fixes, and minor changes only until its EOL in August 2027.

This change is designed to:

  • Deliver continuous access to new features

  • Improve security through more frequent updates and patches

  • Provide a predictable, simplified support timeline

Further documentation and upgrade guidance will be provided ahead of the August 2026 transition.

Puppet® Continuous Delivery and Puppet Comply® (also known as Puppet Security Compliance Management (“SCM”)) lifecycle updates:

For important information about the product lifecycle changes for Puppet® Continuous Delivery and Puppet Comply® /SCM, see:

Puppet Enterprise (PE) 2025 is our leading-edge PE release stream (also referred to as STS).
To access the release notes for the Puppet® platform, including Puppet agent, Puppet Server, Facter, and PuppetDB, see Platform release notes.

Enhancements

Support for Google Cloud SQL as an external PostgreSQL database

You can now use a Google Cloud SQL PostgreSQL instance as the external database for Puppet Enterprise. This enhancement lets you run PE with a managed PostgreSQL backend in Google Cloud. For more information, see Configure PE to use Google Cloud SQL.

Advanced Patching: Real‑time patch run progress

In the PE console, the Patch runs page now provides real‑time visibility into patch job progress. As a patch job moves from pending, in progress to finished, the console displays up‑to‑date node status information.

Advanced Patching: Patch group error and warning messaging improvements

The PE console now displays clearer error and warning messages when a patch group creation attempt fails, including details about the cause of the failure and recommended steps to remediate it. In addition, a new option in the Actions drop-down menu allows you to retry creating the patch group.

Advanced Patching: Disable or re-enable the Advanced Patching service

In PE 2025.9, you can now disable or re-enable the Advanced Patching service directly in the PE console by running the enterprise_tasks::toggle_patching_service plan. Access to this plan is controlled by role-based access control (RBAC).

PE orchestrator: Performance improvements

In PE 2025.9, performance improvements were made to the orchestrator in several areas. These updates improve responsiveness when selecting tasks and plans in the PE console and when running individual tasks and plans.

Workflow: New PE console capabilities

From the PE console, Workflow users can:

  • Edit a workflow.

  • Stop a workflow run.

Advanced Patching API: New endpoints

PE 2025.9 includes the following new endpoints.

Patch group management:

POST /v1/command/retry-patch-group: For patch groups in a failed state with a retry failure type, you can retry creating the failed patch group creation or update the operation.

Workflow API: New endpoints

PE 2025.9 includes the following new endpoints:

  • PUT /v1/workflows/{id}: Edit a workflow.

  • POST /v1/command/stop: Stop a workflow run.

Platform support

Agent platforms added

This release adds support for the Puppet agent on the following operating system platforms:

  • Debian 13 amd64

  • Debian 13 aarch64

Deprecations and removals

Metrics API v1 removed

As of PE 2025.9, the /metrics/v1/* endpoints are removed. Use Metrics API v2 for all metrics queries. See:

Upgrade caution

Puppet Server request‑logging.xml may retain old namespace paths

If you have previously modified /etc/puppetlabs/puppetserver/request-logging.xml, review and update the file after upgrading to PE 2025.9 or later.

The presence of request-logging.xml.rpmnew or request-logging.xml.rpmnew after upgrade indicates that the original file was modified and requires manual adjustment.

For more information, see Upgrade cautions.

Resolved issues

Infra Assistant enablement plan no longer fails to run

In PE 2025.8, a build issue resulted in the addressable gem not being bundled with the Puppet Server. Puppet code that depends on this gem failed—most notably, apply blocks in plans. This issue has been resolved in PE 2025.9.

Advanced Patching: Messaging for patch group creation failure is visible and the option to recreate the patch group is available

In PE 2025.0-2025.8, the patch group creation process failed for several reasons. If the patch group creation failed, the PE console displayed a yellow warning triangle next to the patch group name, but the cause of the failure was not visible nor was there a way for users to recreate the patch group. This issue has been fixed in PE 2025.9.

Advanced Patching: The patch group node count resets when nodes have been removed from a patch group

In PE 2025.8, when nodes were removed from a patch group, the node count did not reset. This issue has been fixed in PE 2025.9.

Browser error when using Infra Assistant with custom browser certs fixed

In PE 2025.7 and 2025.8, if you had custom browser certificates configured on your primary server, the Infra Assistant failed with a browser error. This issue also affected the use of the MCP (Management Console Proxy) server. This has been fixed in PE 2025.9.

Security fixes

Addressed the following CVEs:

The following CVEs were fixed in PE:

  • CVE-2025-11563

  • CVE-2025-10966

  • CVE-2025-15467

  • CVE-2025-68160

  • CVE-2025-69418

  • CVE-2025-69419

  • CVE-2025-69420

  • CVE-2025-69421

  • CVE-2026-22795

  • CVE-2026-22796

  • CVE-2026-21452

  • CVE-2026-21945

  • CVE-2026-21932

  • CVE-2026-21933

  • CVE-2026-0603

  • CVE-2026-27727

  • CVE-2025-13465

  • CVE-2025-58183

  • CVE-2025-47910

  • CVE-2025-61729

  • CVE-2026-27727

  • CVE-2026-22860

  • CVE-2026-25500

  • CVE-2026-2004

  • CVE-2026-2005

  • CVE-2026-2006