Loose Lips Sink Ships: How Hermes Logged Its Way into a Security Nightmare

Amit Schendel

Senior Security Researcher

Jan 14, 2026·4 min read·7 visits

No Known Exploit

Executive Summary (TL;DR)

Developers often log too much in the name of debugging. In CVE-2026-22798, the `hermes` CLI tool dumped the entire `argparse` namespace into a log file. Since `hermes` allows passing secrets via the `-O` flag, this meant every API key used to publish software was written to disk in plaintext. If you share a machine or run this in CI/CD, your secrets are public property.

The hermes software publication tool inadvertently logged sensitive command-line arguments, including API tokens and authentication secrets, to plaintext log files due to overzealous debug logging.

Attack Flow Diagram

Official Patches

softwarepubCommit fixing the logging vulnerability

Fix Analysis (2)

Technical Appendix

CVSS Score

5.9/ 10

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

EPSS Probability

0.01%

Top 99% most exploited

Affected Systems

hermes CLI tool (softwarepub)

Affected Versions Detail

Product	Affected Versions	Fixed Version
hermes softwarepub	>= 0.8.1, < 0.9.1	0.9.1

Attribute	Detail
CWE ID	CWE-532
Attack Vector	Local (File Read)
CVSS	5.9 (Medium)
EPSS Score	0.00011 (Low)
Impact	Credential Leak / Integrity Compromise
Exploit Status	Trivial (Log Analysis)

MITRE ATT&CK Mapping

T1552.001Unsecured Credentials: Credentials In Files

Credential Access

T1005Data from Local System

Collection

CWE-532

Insertion of Sensitive Information into Log File

Known Exploits & Detection

N/AExploitation involves standard file access commands (grep, cat) on generated logs.

Vulnerability Timeline

Vulnerable code introduced in commit 7f64f10

2026-01-01

Fix released in version 0.9.1 (approximate based on report)

2026-06-01