CVE-2026-22798

Description

Thanks, @thunze for reporting this! `hermes` subcommands take arbitrary options under the `-O` argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66 If users provide sensitive data such as API tokens (e.g., via `hermes deposit -O invenio_rdm.auth_token SECRET`), these are written to the log file in plain text, making them available to whoever can access the log file. ### Impact As currently, `hermes.log` is not yet uploaded automatically as an artifact in CI, this vuln impacts: - local users working on shared access computers, where logs may be written to a commonly accessible file system - CI users whose CI logs are accessible to others, e.g., through group or organization rights Potentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into `ci-templates` via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances! ### Patches This has been patched in [`hermes` 0.9.1](TODO) by masking all values passed using `-O`. ### Workarounds Upgrade to `hermes` >= 0.9.1.

How to fix CVE-2026-22798

To remediate CVE-2026-22798, upgrade the affected package to a fixed version below.

—upgrade to 0.9.1 or later

Is CVE-2026-22798 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.8.1, < 0.9.1

Description

How to fix CVE-2026-22798

Is CVE-2026-22798 being exploited?

Affected packages (1)

CVSS scores

References (5)