Description
hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
Published: 2026-01-12
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure through unencrypted logging of command line options
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when hermes subcommands accept arbitrary options under the -O flag and log them verbatim. If a user supplies sensitive data such as API tokens via this option, that data is written to the standard log file in clear text. Attackers who can read the log therefore obtain credentials that could compromise downstream services. The CWE associated with this issue is Log File Data Leak (CWE‑532).

Affected Systems

Affected vendor: softwarepub, product: hermes. Versions from 0.8.1 up to before 0.9.1 are vulnerable. The fix was implemented in release 0.9.1. The vulnerability affects all installations that use the command‑line interface and write logs to disk. No specific operating system or platform exclusions are noted.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% suggests the probability of exploitation in the wild is very low. Because the flaw is discovered via local accessibility to log files, the attack vector is most likely local or remote if an attacker already gains file read access; it is not a remote code execution vector. The vulnerability is not yet listed in the CISA KEV catalog, so no active exploit is documented. Nevertheless, any compromise of log files by a malicious user could expose credentials and jeopardize authentication to external services.

Generated by OpenCVE AI on April 18, 2026 at 06:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to hermes version 0.9.1 or later
  • Restrict file system permissions so that only authorized users can read the hermes log files
  • Avoid passing sensitive credentials through the -O option; use environment variables or secure configuration files instead

Generated by OpenCVE AI on April 18, 2026 at 06:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jm5j-jfrm-hm23 hermes's raw options logging may disclose secrets passed in via subcommand options argument
History

Sun, 08 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Software-metadata.pub
Software-metadata.pub hermes
CPEs cpe:2.3:a:software-metadata.pub:hermes:*:*:*:*:*:python:*:*
Vendors & Products Software-metadata.pub
Software-metadata.pub hermes

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Softwarepub
Softwarepub hermes
Vendors & Products Softwarepub
Softwarepub hermes

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
Title hermes's raw options logging may disclose secrets passed in via subcommand options argument
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N'}

Subscriptions

Software-metadata.pub Hermes
Softwarepub Hermes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:08:22.846Z

Reserved: 2026-01-09T22:50:10.287Z

Link: CVE-2026-22798

cve-icon Vulnrichment

Updated: 2026-01-13T14:14:28.068Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T22:16:08.780

Modified: 2026-03-08T02:03:33.447

Link: CVE-2026-22798

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File