CVE-2026-25918 – The unity-cli command-line utility logs sensiti... (How to Fix)

Q: What is the severity of CVE-2026-25918?

CVE-2026-25918 has a CVSS score of 5.5 (MEDIUM). The unity-cli command-line utility logs sensitive credentials (email and password) in plaintext when using the --verbose flag with the sign-package command. This exposes authentication secrets in shell history, CI/CD logs, and log aggregation systems. Anyone using unity-cli versions before 1.8.2 with the --verbose flag is affected.

📋 TL;DR

The unity-cli command-line utility logs sensitive credentials (email and password) in plaintext when using the --verbose flag with the sign-package command. This exposes authentication secrets in shell history, CI/CD logs, and log aggregation systems. Anyone using unity-cli versions before 1.8.2 with the --verbose flag is affected.

💻 Affected Systems

Products:

@rage-against-the-pixel/unity-cli

Versions: All versions prior to 1.8.2

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using the --verbose flag with the sign-package command.

📦 What is this software?

Unity Cli by Rageagainstthepixel

View all CVEs affecting Unity Cli →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to Unity accounts, potentially compromising game projects, source code, and deployment pipelines, leading to intellectual property theft or malicious code injection.

🟠

Likely Case

Credentials exposed in shared CI/CD logs or developer workstations are harvested, leading to unauthorized access to Unity services and potential project manipulation.

🟢

If Mitigated

With proper log sanitization and access controls, exposure is limited to local systems where logs are properly secured.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to logs where credentials are exposed; no special tools needed beyond log access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.2

Vendor Advisory: https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5

Restart Required: No

Instructions:

1. Update unity-cli to version 1.8.2 or later using npm: npm update @rage-against-the-pixel/unity-cli. 2. Verify the update with: npm list @rage-against-the-pixel/unity-cli.

🔧 Temporary Workarounds

Avoid verbose logging

all

Do not use the --verbose flag with the sign-package command to prevent credential logging.

Use sign-package without --verbose flag

Manual credential sanitization

all

Manually sanitize logs after running commands with --verbose flag.

Review and remove sensitive data from logs after command execution

🧯 If You Can't Patch

Rotate all Unity credentials that may have been exposed in logs.
Implement strict access controls on log storage and monitoring systems.

🔍 How to Verify

Check if Vulnerable:

Check if unity-cli version is below 1.8.2 and if --verbose flag has been used with sign-package command.

Check Version:

npm list @rage-against-the-pixel/unity-cli

Verify Fix Applied:

After updating to 1.8.2+, run sign-package with --verbose flag and verify credentials are not logged in plaintext.

📡 Detection & Monitoring

Log Indicators:

Plaintext email and password fields in JSON output in logs
Unity CLI verbose logs containing authentication data

Network Indicators:

None - this is a local logging issue

SIEM Query:

Search logs for patterns matching '--email' and '--password' in command output or JSON.stringify containing credential data.

📊 Metadata

CVE ID: CVE-2026-25918

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

EPSS Score: 0.01% exploit probability (1.9th percentile)

Published: February 9, 2026

Last Updated: February 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25918, you might also want to check these: