Hermes (softwarepub), Information Disclosure, CVE-2026-22798 (Medium)

Listen to this Post

The vulnerability stems from how the `hermes` command-line tool, used for automating software publication, handles the `-O` argument. In versions 0.8.1 up to (but not including) 0.9.1, the tool accepts arbitrary key-value pairs via this `-O` flag for various subcommands. The flaw lies in the logging mechanism, which writes these arguments to the log file in their raw, unredacted form. Consequently, if a user passes sensitive information—such as an API token or secret—through the `-O` argument (e.g., hermes deposit -O invenio_rdm.auth_token SECRET), that secret is written to `hermes.log` in plain text. This exposes the credential to any user or process with read access to the log file, which could be other local users on a shared system, or individuals with access to CI/CD logs if the tool is run in such an environment. The issue is rooted in the logging function defined in `cli.py` that does not sanitize the input before writing. The fix, implemented in version 0.9.1, involves masking all values passed via the `-O` argument in the logs .
Platform: softwarepub hermes
Version: 0.8.1 to 0.9.0
Vulnerability : Sensitive info exposure
Severity: MEDIUM (5.9 CVSS)
date: 2026-01-12

Prediction: Patched in 0.9.1

What Undercode Say:

Analysis:

The vulnerability is a classic case of CWE-532: Insertion of Sensitive Information into Log File. It requires local access to the log files and user interaction (passing a secret via the command line). The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N) indicates a high integrity impact because an exposed token could be used to modify software publications or access restricted resources .

Detection and Remediation Commands:

1. Check your current version of hermes
hermes --version
2. Search existing logs for exposed secrets (e.g., API tokens)
grep -iE "(auth_token|api_key|secret|password)" /path/to/hermes.log
3. If vulnerable, rotate all potentially exposed secrets immediately.
Example for InvenioRDM token (hypothetical command)
invenio tokens revoke --name my-publishing-token
4. Securely wipe or truncate the log file containing secrets (if no longer needed for debugging)
Be careful with regulatory compliance (log retention policies)
sudo shred -u /path/to/hermes.log
Or create a new empty log file
sudo truncate -s 0 /path/to/hermes.log
5. Set strict permissions on the log directory to prevent unauthorized access
sudo chmod 750 /var/log/hermes
sudo chown root:hermes-users /var/log/hermes/hermes.log
sudo chmod 640 /var/log/hermes/hermes.log
6. Upgrade to the patched version
pip install --upgrade hermes>=0.9.1
or, if installed via another method, use the appropriate package manager.

How Exploit:

  1. Victim Action: A user with publishing privileges runs a command to deposit software, including their secret token:

`hermes deposit -O invenio_rdm.auth_token my_super_secret_123`

  1. Logging: The `hermes` application, in its default logging routine, writes the full command or the parsed `-O` options to a log file (e.g., hermes.log). The line in the log appears as: `[2026-03-08 10:00:00] INFO: Running deposit with options: {‘invenio_rdm.auth_token’: ‘my_super_secret_123’}`
    3. Attacker Access: An attacker with local access to the machine (or access to a log aggregation service where the log is stored) reads the log file.
  2. Credential Theft: The attacker searches for patterns like `auth_token` or `secret` and extracts the plain-text value my_super_secret_123.
  3. Lateral Movement/Impact: The attacker now uses the stolen token to authenticate as the victim to the InvenioRDM instance, potentially uploading malicious software or altering existing records.

Protection from this CVE:

Immediate Patch: Upgrade to `hermes` version 0.9.1 or later, where the values passed via `-O` are masked in logs .
Use Environment Variables: Avoid passing secrets directly in commands. Configure the tool to read secrets from environment variables or secure configuration files.

export INVENIO_RDM_AUTH_TOKEN="my_super_secret_123"
hermes deposit Tool modified to read from env var

Strict Log Permissions: Implement the principle of least privilege on log files. Ensure only necessary users/processes have read access.
Log Sanitization: If using a centralized logging system, implement rules to redact patterns that look like secrets (e.g., UUIDs, long strings) before storage.
Audit Commands: Regularly audit shell histories and CI/CD scripts to ensure secrets are not being passed as inline arguments.

Impact:

Confidentiality Breach: Sensitive API tokens, passwords, and keys are exposed in plain text.
Account Takeover: Attackers can use exposed tokens to gain unauthorized access to external services (like InvenioRDM, Zenodo, etc.) .
Data Integrity Compromise: With a valid token, an attacker could modify, delete, or publish fraudulent software packages, undermining the trust in the software supply chain .
Lateral Movement: Exposed credentials might be reused across different services, allowing an attacker to broaden their access within an organization’s infrastructure.
Compliance Violations: Exposure of secrets can lead to violations of data protection regulations (e.g., GDPR, HIPAA) if the compromised service handles personal data .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top