The application writes sensitive information to log files. This may include user data, credentials, tokens, full request details, database queries, internal paths, system information, or other confidential values that should not be recorded. Logs are often accessible to a wider set of users, services, administrators, or support tooling than the original application data, making them a secondary exposure path for attackers. If an attacker gains access to application, build, debug, or error logs, they may be able to recover sensitive information and use it for account compromise, data theft, privilege escalation, or further attacks.

Remediation

Review all logging statements and remove sensitive values before writing to logs. Avoid logging credentials, secrets, tokens, session identifiers, payment data, personal information, full database queries, or complete user objects. Use structured logging with explicit allowlists, redact or mask sensitive fields, and ensure debug logging is disabled in production. Log files should also be protected with strict access controls, retention limits, and monitoring for unauthorized access.