The vulnerability identified as CVE-2026-22798 affects the hermes softwarepub tool, specifically versions from 0.8.1 up to but not including 0.9.1. Hermes is a workflow automation tool designed to facilitate software publication with rich metadata. The flaw stems from the way hermes handles the -O argument, which accepts arbitrary options. When users supply sensitive data such as API tokens (e.g., via the command 'hermes deposit -O invenio_rdm.auth_token SECRET'), these values are logged verbatim in plaintext within the application's log files. This behavior constitutes an instance of CWE-532: Insertion of Sensitive Information into Log File. The exposure of sensitive tokens in logs can lead to unauthorized access if an attacker gains access to these logs, potentially allowing them to impersonate legitimate users or services. The vulnerability requires local access with limited privileges and some user interaction to trigger logging of sensitive data. The CVSS v3.1 base score is 5.9 (medium severity), reflecting the limited attack vector (local), low complexity, and partial impact on integrity without affecting confidentiality or availability directly. The issue was resolved in hermes version 0.9.1 by presumably sanitizing or avoiding logging sensitive options in raw form. No known exploits are reported in the wild as of the publication date. The vulnerability primarily threatens environments where multiple users have access to the same system or where log files are not adequately protected, increasing the risk of token leakage and subsequent misuse.

For European organizations, this vulnerability poses a risk of sensitive token exposure through log files, which can lead to unauthorized access to internal or external services authenticated by those tokens. Organizations using hermes versions prior to 0.9.1 in multi-user environments or shared infrastructure are particularly at risk. The compromise of API tokens can undermine the integrity of automated software publication workflows, potentially allowing attackers to inject malicious code or manipulate metadata. While the vulnerability does not directly impact confidentiality or availability, the integrity breach can have downstream effects on software supply chain security, a critical concern in Europe given recent regulatory focus on software provenance and security. Additionally, exposure of tokens may violate data protection regulations if the tokens provide access to personal or sensitive data. The limited attack vector (local access) reduces the risk of remote exploitation but does not eliminate insider threats or risks from compromised accounts. Organizations relying on hermes for software publication should consider this vulnerability a moderate risk to their operational security and software supply chain integrity.

The primary mitigation is to upgrade hermes to version 0.9.1 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should: 1) Avoid passing sensitive information such as API tokens via the -O argument or any command-line options that may be logged. Use environment variables or secure credential stores instead. 2) Restrict access to hermes log files to only trusted administrators and processes, enforcing strict file permissions and monitoring access logs. 3) Implement log management policies that include regular log rotation and secure archival to minimize exposure time. 4) Educate users and administrators about the risks of including sensitive data in command-line arguments and logs. 5) Monitor for unusual access patterns or token usage that could indicate compromise. 6) Consider isolating hermes execution environments to reduce the risk of local privilege escalation or unauthorized log access. 7) Review and audit existing logs for exposed tokens and rotate or revoke any compromised credentials immediately. These steps go beyond generic advice by focusing on operational practices specific to this vulnerability's nature.