CVE-2026-22798
January 12, 2026
hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
Affected Packages
https://github.com/softwarepub/hermes.git (GITHUB):
Affected version(s) >=v0.8.1 <v0.9.1Fix Suggestion:
Update to version v0.9.1hermes (PYTHON):
Affected version(s) >=0.8.1 <0.9.1Fix Suggestion:
Update to version 0.9.1Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.7
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Insertion of Sensitive Information into Log File
EPSS
Base Score:
0.01
