What is the severity of CVE-2026-22798?

CVE-2026-22798 has a CVSS v3 score of 5.9, which is classified as Medium severity.

Is there an exploit available for CVE-2026-22798?

No known public exploits are currently available for CVE-2026-22798.

Is there a patch available for CVE-2026-22798?

Yes, patches are available for CVE-2026-22798. Check the vendor advisories for update instructions.

CVE-2026-22798 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-22798?

Thanks, @thunze for reporting this! `hermes` subcommands take arbitrary options under the `-O` argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66 If users provide sensitive data such as API tokens (e.g., via `hermes deposit -O invenio_rdm.auth_token SECRET`), these are written to the log file in plain text, making them available to whoever can access the log file. ### Impact As currently, `hermes.log` is not yet uploaded automatically as an artifact in CI, this vuln impacts: - local users working on shared access computers, where logs may be written to a commonly accessible file system - CI users whose CI logs are accessible to others, e.g., through group or organization rights Potentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into `ci-templates` via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances! ### Patches This has been patched in [`hermes` 0.9.1](TODO) by masking all values passed using `-O`. ### Workarounds Upgrade to `hermes` >= 0.9.1.

Severity Scores

CVSS v35.9

CVSS v20.0

Priority Score143.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

5.9

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Thanks, @thunze for reporting this!

hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66

If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file.

Impact

As currently, hermes.log is not yet uploaded automatically as an artifact in CI, this vuln impacts:

local users working on shared access computers, where logs may be written to a commonly accessible file system
CI users whose CI logs are accessible to others, e.g., through group or organization rights

Potentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into ci-templates via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances!

Patches

This has been patched in hermes 0.9.1 by masking all values passed using -O.

Workarounds

Upgrade to hermes >= 0.9.1.

CVSS v3 Breakdown

Attack Vector:Local

Attack Complexity:Local

Privileges Required:Local

User Interaction:Required

Scope:Changed

Confidentiality:Network

Integrity:High

Availability:Network

Patch References

Github.com Github.com