Security Advisory: Secrets in Validator Logs

March 4, 2026

Security Advisory — Potential secrets exposure in validator logs

We have identified an issue where sensitive credentials (such as your PostgreSQL password and Ledger API auth token) may be written in plaintext to validator application logs. This only occurs under a specific combination of conditions described below.

Who is affected?
You may be affected if both of the following are true:
1. Your validator deployment uses additional DARs beyond the standard Splice dars, AND you deployed those dars via the .appDars Helm value OR by manually setting the SPLICE_APP_DARS environment variable to a non-null value. (Uploading additional DARs via other means does not make you affected.)
2. DEBUG-level logging is enabled for the validator app.
- Helm deployments: DEBUG logging is on by default.
- Docker Compose deployments: The default log level was changed from DEBUG to INFO in Splice 0.5.10.

What should I do?
1. Immediately ensure your validator app log level is set toINFO or above. This stops any further exposure.
If you believe your deployment matched both conditions above, we recommend rotating the following secrets:
- PostgreSQL database password
- Ledger API auth token
- Any other secrets you may have added as environment variables on the validator app deployment

Fix
This issue has been resolved in splice#4230 and will be included in the upcoming 0.5.14 release.

|| @Dev Announcements @Canton Builder ||

Previous Update

Security Advisory: Secrets in Validator Logs

Security Advisory — Potential secrets exposure in validator logs

The latest from Canton Network

Help Center

Docs

Discord

Telegram DM 👑

Premium Feature

Unlock Premium Support

What's New

UPCOMING FEATURE

Recent Updates

Join the Hype Engine Waitlist

Upcoming: Hype Engine V2

Upcoming: Role Analytics

Recent Updates

Join Spark Tickets Waitlist

Join X Integration Waitlist

Discord SEO v2

Are you currently using our bot?

Join Role Analytics Waitlist