CVE-2026-22798
Sensitive Data Exposure via Logging in Hermes CLI (-O Option
Publication date: 2026-01-12
Last updated on: 2026-03-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| software-metadata.pub | hermes | From 0.8.1 (inc) to 0.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes sensitive data such as API tokens to be logged in plaintext, which can lead to unauthorized access if log files are accessed by unauthorized users. Such exposure of sensitive information can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper handling of credentials to prevent data breaches. Therefore, the vulnerability increases the risk of non-compliance due to potential unauthorized disclosure of sensitive authentication tokens. [1]
Can you explain this vulnerability to me?
This vulnerability in the hermes package (versions 0.8.1 to before 0.9.1) occurs because the software logs raw command-line options passed via the -O argument in plaintext. If users include sensitive data such as API tokens in these options, this sensitive information is written directly to log files without masking. Anyone with access to these log files can then see these secrets, potentially exposing them. The issue arises from a debug logging statement that outputs the full command line arguments including sensitive data. This vulnerability is classified under CWE-532: Insertion of Sensitive Information into Log File and was fixed in version 0.9.1 by masking sensitive values before logging. [1, 3]
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive information such as API tokens if these are passed via the -O argument and logged in plaintext. This exposure can allow unauthorized users who have access to the log files to obtain these secrets, potentially leading to unauthorized actions or compromise of systems that rely on these tokens. The risk is especially significant in shared environments or continuous integration (CI) systems where logs may be accessible to multiple users or groups. This can result in integrity impacts, as attackers could misuse the exposed tokens to perform unauthorized operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the hermes log files (typically hermes.log) for plaintext sensitive data such as API tokens that were passed via the '-O' argument in hermes subcommands. You can search the log files for patterns like 'invenio_rdm.auth_token' or other known sensitive keys. For example, you can use the command: `grep -i 'auth_token' hermes.log` or `grep -i -E 'auth_token|secret|token' hermes.log` to find exposed secrets in the logs. Since the vulnerability involves logging raw command-line options, reviewing recent hermes logs for any such plaintext secrets indicates the presence of the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the hermes package to version 0.9.1 or later, where the vulnerability is fixed by masking sensitive values passed via the '-O' argument before logging. Additionally, you should review and secure any log files that may contain exposed sensitive data to prevent unauthorized access. Avoid passing sensitive information directly via the '-O' argument until the upgrade is applied. [1, 3]