CWE-532 Base Incomplete Medium likelihood

Insertion of Sensitive Information into Log File

This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files.

Definition

What is CWE-532?

This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files.
Developers often add logging statements for debugging, but these can accidentally capture sensitive user data or system secrets. When these logs are stored insecurely or with broad permissions, attackers can read them to steal credentials, impersonate users, or gain unauthorized access to internal systems. This is a common oversight that turns a routine troubleshooting tool into a significant security liability. Preventing this requires careful code reviews to sanitize log output and configuring loggers to exclude sensitive fields. While SAST tools can catch the pattern, Plexicus uses AI to suggest the actual code fix—like replacing a sensitive value with a hash or redacting it entirely—saving hours of manual work. Managing this at scale across numerous applications is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire software stack.
Vulnerability Diagram CWE-532
Insertion of Sensitive Information into Log Login handler log.info("body: " + body) app.log 11:00 INFO POST /login body: {user:"a", pw:"hunter2"} cookie: session=abc123 card: 4111-1111-1111-1111 11:01 INFO ... Anyone w/ logs SIEM, support, CI Secrets and PII written to logs end up in many systems and people.
Real-world impact

Real-world CVEs caused by CWE-532

  • CVE-2017-9615

    verbose logging stores admin credentials in a world-readable log file

  • CVE-2018-1999036

    SSH password for private key stored in build log

How attackers exploit it

Step-by-step attacker path

  1. 1

    In the following code snippet, a user's full name and credit card number are written to a log file.

  2. 2

    This code stores location information about the current user:

  3. 3

    When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log.

  4. 4

    In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.

  5. 5

    The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.

Vulnerable code example

Vulnerable Java

In the following code snippet, a user's full name and credit card number are written to a log file.

Vulnerable Java 
logger.info("Username: " + usernme + ", CCN: " + ccn);
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-532

  • Architecture and Design / Implementation Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
  • Distribution Remove debug log files before deploying the application into production.
  • Operation Protect log files against unauthorized read/write.
  • Implementation Adjust configurations appropriately when software is transitioned from a debug state to production.
Detection signals

How to detect CWE-532

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-532 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-532?

This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files.

How serious is CWE-532?

MITRE rates the likelihood of exploit as Medium — exploitation is realistic but typically requires specific conditions.

What languages or platforms are affected by CWE-532?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-532?

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. Remove debug log files before deploying the application into production.

How does Plexicus detect and fix CWE-532?

Plexicus's SAST engine matches the data-flow signature for CWE-532 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-532?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/532.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-532

CWE-538 Parent

Insertion of Sensitive Information into Externally-Accessible File or Directory

This vulnerability occurs when an application unintentionally stores confidential data—like passwords, API keys, or personal user…

CWE-540 Sibling

Inclusion of Sensitive Information in Source Code

This vulnerability occurs when sensitive information like passwords, API keys, or internal logic is exposed within source code that…

CWE-651 Sibling

Exposure of WSDL File Containing Sensitive Information

This vulnerability occurs when a Web Service Definition Language (WSDL) file, which acts as a public blueprint for a web service, is…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.