CVE-2026-25918: Game Over: Unity-CLI Spills Secrets in Verbose Mode

#security #cve #cybersecurity

Game Over: Unity-CLI Spills Secrets in Verbose Mode

Vulnerability ID: CVE-2026-25918
CVSS Score: 5.9
Published: 2026-02-10

In the world of DevOps, visibility is everything. We want logs, metrics, and traces. But sometimes, tools give us a little too much visibility. The unity-cli tool, a popular wrapper for automating Unity Game Engine tasks, was found to be indiscriminately logging sensitive credentials—passwords, serials, and auth tokens—directly to standard output when the --verbose flag was engaged. This vulnerability turns your CI/CD logs into a treasure map for attackers looking to hijack your game development pipeline.

TL;DR

If you used unity-cli versions < 1.8.2 with the --verbose flag, your Unity credentials (password, serial, token) were printed in plaintext to your console logs. Attackers with access to your CI/CD history or shell logs can harvest these secrets.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-532
Attack Vector: Local / Context Dependent
CVSS: 5.9 (Medium)
Confidentiality Impact: High
Integrity Impact: None
Exploit Status: Trivial (Log Inspection)

Affected Systems

@rage-against-the-pixel/unity-cli < 1.8.2
GitHub Actions Workflows using unity-cli
Jenkins Pipelines using unity-cli
GitLab CI Runners using unity-cli
@rage-against-the-pixel/unity-cli: < 1.8.2 (Fixed in: 1.8.2)

Code Analysis

Commit: 8d4d67b

feat: added data masking for sensitive args

+ private scrubSensitiveData(obj: any): any { ... }

Exploit Details

Manual: Log inspection of CI/CD pipelines running with --verbose

Mitigation Strategies

Input Sanitization
Secret Masking
Log Rotation

Remediation Steps:

Upgrade @rage-against-the-pixel/unity-cli to version 1.8.2 or higher.
Rotate all Unity credentials (passwords, tokens, serials) used in CI environments.
Audit and delete historical CI/CD logs that may contain verbose output.
Switch from CLI arguments to Environment Variables for passing secrets where possible.