CVE-2026-22798
hermes's raw options logging may disclose secrets passed in via subcommand options argument
描述
Thanks, @thunze for reporting this! `hermes` subcommands take arbitrary options under the `-O` argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66 If users provide sensitive data such as API tokens (e.g., via `hermes deposit -O invenio_rdm.auth_token SECRET`), these are written to the log file in plain text, making them available to whoever can access the log file. ### Impact As currently, `hermes.log` is not yet uploaded automatically as an artifact in CI, this vuln impacts: - local users working on shared access computers, where logs may be written to a commonly accessible file system - CI users whose CI logs are accessible to others, e.g., through group or organization rights Potentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into `ci-templates` via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances! ### Patches This has been patched in [`hermes` 0.9.1](TODO) by masking all values passed using `-O`. ### Workarounds Upgrade to `hermes` >= 0.9.1.
如何修補 CVE-2026-22798
要修補 CVE-2026-22798,請將受影響套件升級到下列已修補版本。
- —升級至 0.9.1 或更新版本
CVE-2026-22798 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 0.8.1, < 0.9.1