A bug in the Puppet Enterprise console incorrectly handles sessions (low risk)
Changing the session secret for the console does not fully invalidate current sessions. This leaves users logged in which is not the desired behaviour. Standard user validation and access control via the console is unaffected by this vulnerability.
Resolved in Puppet Enterprise 2.6.1