CVE-2026-22798 Overview
A sensitive data exposure vulnerability has been identified in HERMES, an implementation of the HERMES workflow designed to automate software publication with rich metadata. From versions 0.8.1 to before 0.9.1, HERMES subcommands accept arbitrary options under the -O argument, which are logged in raw form. When users provide sensitive data such as API tokens via command-line arguments (e.g., hermes deposit -O invenio_rdm.auth_token SECRET), these credentials are written to the log file in plain text, making them accessible to anyone who can read the log file.
Critical Impact
API tokens and other sensitive credentials passed via command-line arguments are exposed in plain text within log files, potentially allowing unauthorized access to integrated services and repositories.
Affected Products
- HERMES versions 0.8.1 to before 0.9.1
- Systems running HERMES with sensitive authentication tokens passed via -O arguments
- Environments where log files are accessible to unauthorized users
Discovery Timeline
- January 12, 2026 - CVE-2026-22798 published to NVD
- January 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-22798
Vulnerability Analysis
This vulnerability falls under CWE-532 (Insertion of Sensitive Information into Log File). The HERMES workflow tool provides a flexible option mechanism through the -O argument, allowing users to pass arbitrary key-value pairs to various subcommands. However, the logging implementation captures these arguments in their entirety without sanitizing or masking sensitive values.
The exposure occurs when users utilize this mechanism to pass authentication credentials, such as API tokens for repository services like InvenioRDM. Since the logging subsystem treats all -O arguments uniformly, tokens and other secrets are written to log files in clear text. This creates a significant security risk in multi-user environments or systems where log files may be accessed by unauthorized parties.
The vulnerability requires local access to exploit and user interaction (providing sensitive data via command line), but the potential impact on confidentiality is high as exposed credentials could grant unauthorized access to external services and repositories.
Root Cause
The root cause lies in the insufficient handling of sensitive data within the logging mechanism. The HERMES application logs command-line arguments provided through the -O flag without implementing any filtering, redaction, or masking logic for potentially sensitive values. This design oversight means that any authentication token, password, or API key passed as an option parameter is captured verbatim in application logs.
Attack Vector
The attack vector for this vulnerability is local, requiring an attacker to have read access to the HERMES log files. Exploitation scenarios include:
- Multi-user systems: On shared systems, other users with log file read permissions can extract credentials
- Log aggregation: Centralized logging systems may expose credentials to broader audiences
- Backup exposure: System backups containing log files preserve the exposed credentials
- Compromised systems: Attackers who gain limited access can harvest credentials from logs
The vulnerability mechanism involves users invoking HERMES commands with sensitive options. For example, when a user runs hermes deposit -O invenio_rdm.auth_token YOUR_SECRET_TOKEN, the entire argument including the token value is written to the log file. Attackers can then search log files for patterns like auth_token or similar keywords to extract credentials. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-22798
Indicators of Compromise
- Log files containing raw API tokens or authentication credentials in plain text
- Presence of sensitive parameter patterns (e.g., auth_token, api_key, password) in HERMES log entries
- Evidence of log file access by unauthorized users or processes
- Unusual authentication activity on integrated services (InvenioRDM, Zenodo, etc.) using potentially compromised tokens
Detection Strategies
- Implement log file monitoring for sensitive data patterns using data loss prevention (DLP) tools
- Audit file access permissions on HERMES log directories and files
- Review HERMES command history for instances where sensitive data may have been passed via -O arguments
- Monitor authentication logs of integrated services for unauthorized access attempts
Monitoring Recommendations
- Configure alerting for read operations on HERMES log files by non-authorized processes
- Implement file integrity monitoring on log directories to detect unexpected access
- Set up regular scans of log files for credential patterns that may indicate exposure
- Monitor for anomalous API activity on services that HERMES integrates with
How to Mitigate CVE-2026-22798
Immediate Actions Required
- Upgrade HERMES to version 0.9.1 or later immediately
- Review existing log files for exposed credentials and securely delete them after rotating affected tokens
- Rotate all API tokens and credentials that may have been passed via HERMES -O arguments
- Restrict file permissions on HERMES log files to minimize exposure
Patch Information
The vulnerability has been fixed in HERMES version 0.9.1. The fix involves proper handling of sensitive data in the logging subsystem to prevent plain-text exposure of credentials. Security patches are available through the following commits:
For complete details, see the GitHub Security Advisory GHSA-jm5j-jfrm-hm23.
Workarounds
- Use environment variables or configuration files with restricted permissions to pass sensitive credentials instead of command-line arguments
- Implement strict file permissions on log directories (e.g., chmod 600) to limit read access
- Configure log rotation with secure deletion to minimize the window of credential exposure
- Avoid passing authentication tokens via the -O argument until the upgrade is complete
# Configuration example - Secure log file permissions
chmod 600 /var/log/hermes/*.log
chown root:root /var/log/hermes/*.log
# Use environment variables instead of command-line arguments
export HERMES_INVENIO_AUTH_TOKEN="your_token_here"
hermes deposit --use-env-credentials
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
