CVE-2026-22798

Name of the Vulnerable Software and Affected Versions hermes versions 0.8.1 through 0.9.0

Description hermes, a software publication automation workflow, exhibits a flaw where subcommands accept arbitrary options through the -O argument. Providing sensitive data, such as API tokens (e.g., via hermes deposit -O invenio rdm.auth token SECRET), results in the data being written to log files in plain text. This exposes the information to anyone with access to these log files. The -O argument is used to pass options to subcommands. The invenio rdm.auth token variable is an example of a sensitive data element.

Recommendations Upgrade to version 0.9.1 or later.