Security Advisory — Potential secrets exposure in validator logs

1. #1Amanda Martin04-03-2026source ↗

   Security Advisory — Potential secrets exposure in validator logs

   We have identified an issue where sensitive credentials (such as your PostgreSQL password and Ledger API auth token) may be written in plaintext to validator application logs. This only occurs under a specific combination of conditions described below.

   Who is affected?
   You may be affected if both of the following are true:

   1. Your validator deployment uses additional DARs beyond the standard Splice dars, AND you deployed those dars via the .appDars Helm value OR by manually setting the SPLICE_APP_DARS environment variable to a non-null value. (Uploading additional DARs via other means does not make you affected.)

   2. DEBUG-level logging is enabled for the validator app.

      • Helm deployments: DEBUG logging is on by default.

      • Docker Compose deployments: The default log level was changed from DEBUG to INFO in Splice 0.5.10.

   What should I do?

   1. Immediately ensure your validator app log level is set to INFO or above. This stops any further exposure.

   2. If you believe your deployment matched both conditions above, we recommend rotating the following secrets:

      • PostgreSQL database password

      • Ledger API auth token

      • Any other secrets you may have added as environment variables on the validator app deployment

   Fix
   This issue has been resolved in splice#4230 and will be included in the upcoming 0.5.14 release.