CVE-2026-25918 Overview
CVE-2026-25918 is an Information Disclosure vulnerability affecting unity-cli, a command line utility for the Unity Game Engine. Prior to version 1.8.2, the sign-package command logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems.
Critical Impact
Credentials passed to the unity-cli tool may be exposed in plaintext through verbose logging, potentially compromising Unity developer accounts and CI/CD pipelines.
Affected Products
- @rage-against-the-pixel/unity-cli versions prior to 1.8.2
Discovery Timeline
- 2026-02-09 - CVE CVE-2026-25918 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-25918
Vulnerability Analysis
This vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File). The core issue stems from the sign-package command's verbose logging implementation, which outputs all command-line arguments through JSON.stringify without filtering sensitive values. When developers or automated systems invoke the CLI with authentication credentials and enable verbose mode for debugging purposes, passwords, email addresses, and other sensitive parameters are written to logs in cleartext.
The exposure risk is particularly significant in CI/CD environments where build logs are often stored, indexed, and accessible to broader teams. Log aggregation systems commonly used in enterprise environments can inadvertently persist these credentials, creating long-term exposure windows that extend well beyond the immediate command execution.
Root Cause
The root cause is improper handling of sensitive data in the logging subsystem. The verbose debugging output serializes the entire options object passed to commands without implementing any credential scrubbing or masking logic. This design oversight means that any authentication-related parameters (--email, --password, -username, -password, -serial) are logged in their original, unredacted form.
Attack Vector
The attack vector is local, requiring access to log files, shell history, or CI/CD build outputs. An attacker with read access to these resources could extract plaintext credentials and use them to:
- Compromise Unity developer accounts
- Sign malicious packages using stolen credentials
- Access cloud organization resources associated with the exposed accounts
- Pivot to other systems where the same credentials may be reused
The following patch demonstrates the security fix implemented in version 1.8.2, which introduces credential masking and sensitive data scrubbing:
}
}
+ /**
+ * Masks a credential value in CI environments before it appears in logs.
+ * This is a convenience wrapper around CI_mask for credential values.
+ * @param value The credential value to mask.
+ */
+ public maskCredential(value: string | undefined): void {
+ if (value && value.length > 0) {
+ this.CI_mask(value);
+ }
+ }
+
+ /**
+ * Logs command-line options with sensitive information scrubbed.
+ * Automatically removes passwords, tokens, emails, and other credentials from the output.
+ * @param options The options object to log (typically from commander.js).
+ * @param optionalParams Additional parameters to log.
+ */
+ public debugOptions(options: any, ...optionalParams: any[]): void {
+ // Avoid expensive scrubbing and stringification when debug logging is disabled.
+ if (this.logLevel !== LogLevel.DEBUG) {
+ return;
+ }
+ const scrubbed = this.scrubSensitiveData(options);
+ this.debug(JSON.stringify(scrubbed), ...optionalParams);
+ }
+
+ /**
Source: GitHub Commit Update
Additionally, the patch introduces argument-level scrubbing for Unity Editor invocations:
return templates;
}
+ /**
+ * Scrubs sensitive command-line arguments for safe logging.
+ * Replaces values for sensitive flags like -username, -password, etc. with [REDACTED].
+ * @param args The command-line arguments array.
+ * @returns A new array with sensitive values redacted.
+ */
+ public scrubSensitiveArgs(args: string[]): string[] {
+ const sensitiveFlags = ['-username', '-password', '-cloudOrganization', '-serial'];
+ const scrubbedArgs: string[] = [];
+
+ for (let i = 0; i < args.length; i++) {
+ const arg = args[i];
+ if (!arg) continue;
+
+ scrubbedArgs.push(arg);
+
+ // If this is a sensitive flag and the next item is its value
+ if (sensitiveFlags.includes(arg) && i + 1 < args.length) {
+ scrubbedArgs.push('[REDACTED]');
+ i++; // Skip the next item (the actual value) since we've already added [REDACTED]
+ }
+ }
+
+ return scrubbedArgs;
+ }
+
/**
Source: GitHub Commit Update
Detection Methods for CVE-2026-25918
Indicators of Compromise
- Presence of plaintext email addresses or passwords in CI/CD build logs containing unity-cli commands
- Shell history files (.bash_history, .zsh_history) containing sign-package commands with --verbose flag and credential arguments
- Log aggregation systems containing JSON-serialized objects with email or password fields from unity-cli executions
Detection Strategies
- Audit CI/CD pipeline logs for unity-cli sign-package commands executed with the --verbose flag
- Implement log scanning for patterns matching email addresses and password-like strings in build outputs
- Review shell history files on developer workstations and build agents for exposed credentials
- Search log aggregation platforms for unity-cli related entries containing authentication parameters
Monitoring Recommendations
- Enable secret scanning in your version control and CI/CD systems to detect inadvertently committed credentials
- Configure log retention policies to minimize exposure window for potentially compromised logs
- Implement alerts for any sign-package --verbose command executions in production CI/CD pipelines
How to Mitigate CVE-2026-25918
Immediate Actions Required
- Upgrade @rage-against-the-pixel/unity-cli to version 1.8.2 or later immediately
- Rotate any credentials that may have been exposed through verbose logging prior to the upgrade
- Audit and purge historical logs that may contain exposed credentials from the vulnerable version
- Review CI/CD pipeline configurations to ensure credentials are passed via secure secret management rather than command-line arguments
Patch Information
The vulnerability is fixed in version 1.8.2 of @rage-against-the-pixel/unity-cli. The patch introduces the maskCredential() method for CI environment masking, the debugOptions() method that automatically scrubs sensitive data before logging, and the scrubSensitiveArgs() function that replaces sensitive flag values with [REDACTED]. Full details are available in the GitHub Security Advisory GHSA-4255 and the GitHub Release v1.8.2.
Workarounds
- Avoid using the --verbose flag when passing credentials to sign-package commands until upgraded
- Use environment variables or credential files instead of command-line arguments for sensitive authentication data
- Implement CI/CD secret masking features (available in GitHub Actions, GitLab CI, Azure DevOps) to redact known secret values from logs
# Configuration example - Use environment variables instead of CLI arguments
export UNITY_EMAIL="your-email@example.com"
export UNITY_PASSWORD="your-secure-password"
# Upgrade to patched version
npm install @rage-against-the-pixel/unity-cli@1.8.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
