DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22798: Loose Lips Sink Ships: How Hermes Logged Its Way into a Security Nightmare

#security #cve #cybersecurity

Loose Lips Sink Ships: How Hermes Logged Its Way into a Security Nightmare

Vulnerability ID: CVE-2026-22798
CVSS Score: 5.9
Published: 2026-01-13

The hermes software publication tool inadvertently logged sensitive command-line arguments, including API tokens and authentication secrets, to plaintext log files due to overzealous debug logging.

TL;DR

Developers often log too much in the name of debugging. In CVE-2026-22798, the hermes CLI tool dumped the entire argparse namespace into a log file. Since hermes allows passing secrets via the -O flag, this meant every API key used to publish software was written to disk in plaintext. If you share a machine or run this in CI/CD, your secrets are public property.

Technical Details

  • CWE ID: CWE-532
  • Attack Vector: Local (File Read)
  • CVSS: 5.9 (Medium)
  • EPSS Score: 0.00011 (Low)
  • Impact: Credential Leak / Integrity Compromise
  • Exploit Status: Trivial (Log Analysis)

Affected Systems

  • hermes CLI tool (softwarepub)
  • hermes: >= 0.8.1, < 0.9.1 (Fixed in: 0.9.1)

Code Analysis

Commit: 90cb86a

Fix: mask sensitive option values in log output

-    log.debug("Running hermes with the following command line arguments: %s", args)
+    log.debug("Running hermes with the following command line arguments: %s", mask_options_values(args))
Enter fullscreen mode Exit fullscreen mode

Commit: 7f64f10

Introduction of the vulnerable logging logic

+    log.debug("Running hermes with the following command line arguments: %s", args)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: Exploitation involves standard file access commands (grep, cat) on generated logs.

Mitigation Strategies

  • Input Sanitization for Logs
  • Principle of Least Privilege
  • Secret Rotation

Remediation Steps:

  1. Upgrade hermes to version 0.9.1 immediately.
  2. Identify all systems (developer laptops, CI/CD runners) where hermes was executed.
  3. Locate and securely delete hermes.log files on these systems.
  4. Revoke and rotate any API tokens (e.g., InvenioRDM, Zenodo) passed to the tool via the -O flag.

References

Read the full report for CVE-2026-22798 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)