CVE-2026-25918 in unity-cli
Summary
by MITRE • 02/10/2026
unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/28/2026
The vulnerability identified as CVE-2026-25918 affects the unity-cli command line utility used in the Unity Game Engine ecosystem. This tool serves as a critical component for developers managing Unity projects through automated workflows and continuous integration environments. The flaw specifically resides within the sign-package command functionality that handles package signing operations essential for distributing Unity applications. The vulnerability demonstrates a fundamental security oversight in how command line arguments are processed and logged within the application's verbose output mechanisms.
The technical implementation of this vulnerability stems from improper handling of sensitive data during verbose logging operations. When users employ the --verbose flag with the sign-package command, the system executes JSON.stringify operations on command-line arguments including --email and --password parameters. This process occurs without any sanitization or obfuscation of credential data, resulting in plaintext exposure of authentication secrets. The flaw manifests as a direct information disclosure vulnerability where sensitive credentials become permanently embedded in various system log outputs and history mechanisms.
The operational impact of this vulnerability extends across multiple security domains and operational environments. Shell history systems capture all executed commands including those with credential arguments, making them accessible to any user with system access. Continuous integration and continuous deployment pipelines frequently log all command outputs to monitoring systems, CI/CD logs, and aggregation platforms where these plaintext credentials become permanently exposed. The vulnerability creates a persistent security risk where credential exposure can occur across multiple system boundaries and operational contexts. This issue aligns with CWE-209, Information Exposure Through an Error Message, and CWE-312, Cleartext Storage of Sensitive Information, while also mapping to ATT&CK technique T1552.001, Unsecured Credentials.
The remediation for this vulnerability requires implementing proper credential sanitization within the logging mechanisms of the unity-cli utility. Version 1.8.2 of the package addresses this issue by ensuring that sensitive command-line arguments are properly masked or removed from verbose output before JSON.stringify operations occur. Security best practices dictate that all credential handling should follow the principle of least privilege and that sensitive information should never be exposed through logging mechanisms. Organizations using this utility should immediately upgrade to version 1.8.2 or later to mitigate the risk of credential exposure in shell histories, CI/CD pipelines, and log aggregation systems. The fix should be complemented by regular security audits of command line utilities and implementation of proper logging sanitization protocols to prevent similar vulnerabilities in other software components.