logo

Database

Sensitive information stored in logs In @rage-against-the-pixel/unity-cli

Description

unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command) The sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems.

Users who run sign-package with --verbose and credential arguments expose their Unity account passwords. This affects all versions prior to 1.8.2. The vulnerability requires explicit user action (using --verbose) but creates significant risk in automated and shared environments.

Workaround: Use environment variables (UNITY_USERNAME, UNITY_PASSWORD) instead of command-line arguments, and avoid the --verbose flag when working with credentials.

Existing RageAgainstThePixel and Buildalon GitHub actions are unaffected as they use the environment variables exclusively.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-259182. NVD-2026-259183. OSV-2026-259184. GHSA-4255-c27h-62m55. GCVE-2026-25918

References

1. https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m52. https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c953423. https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.