CVE-2026-22798

Description

hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:software-metadata.pub:hermes:*:*:*:*:*:python:*:* - VULNERABLE

hermes >= 0.8.1

hermes < 0.9.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2026-22798 PoC - Sensitive Information Disclosure in hermes
# This PoC demonstrates how sensitive API tokens are logged in plain text

# Simulate vulnerable hermes command execution (versions 0.8.1 to < 0.9.1)
echo "[+] Simulating vulnerable hermes command with sensitive token..."
hermes deposit -O invenio_rdm.auth_token "SUPER_SECRET_API_KEY_12345" -O invenio_rdm.site_url "https://example.com"

# After execution, sensitive data appears in log files
echo "[+] Checking log files for exposed credentials..."
echo "[+] Log file content (vulnerable behavior):"
echo "[DEBUG] Received option: invenio_rdm.auth_token = SUPER_SECRET_API_KEY_12345"
echo "[DEBUG] Received option: invenio_rdm.site_url = https://example.com"

echo "[+] Note: In vulnerable versions, the raw token is logged without sanitization"
echo "[+] Fixed version (0.9.1+) would mask sensitive values in logs"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22798
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22798
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22798/
[4] VulDB https://vuldb.com/cve/CVE-2026-22798
[5] https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1
[6] https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514
[7] https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22798", "sourceIdentifier": "[email protected]", "published": "2026-01-12T22:16:08.780", "lastModified": "2026-03-08T02:03:33.447", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1."}, {"lang": "es", "value": "hermes es una implementación del flujo de trabajo HERMES para automatizar la publicación de software con metadatos enriquecidos. Desde la versión 0.8.1 hasta antes de la 0.9.1, los subcomandos de hermes aceptan opciones arbitrarias bajo el argumento -O. Estas se han registrado en formato sin procesar. Si los usuarios proporcionan datos sensibles como tokens de API (p. ej., a través de hermes deposit -O invenio_rdm.auth_token SECRET), estos se escriben en el archivo de registro en texto plano, haciéndolos disponibles para cualquiera que pueda acceder al archivo de registro. Esta vulnerabilidad se corrige en la versión 0.9.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:software-metadata.pub:hermes:*:*:*:*:*:python:*:*", "versionStartIncluding": "0.8.1", "versionEndExcluding": "0.9.1", "matchCriteriaId": "07386E38-99F7-45C8-8749-BC88CB7BE99F"}]}]}], "references": [{"url": "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}