At elevated network log verbosity, the SASL client emits the base64-encoded SCRAM protocol bytes in LOGV2_DEBUG messages (id=20197, id=20198) in src/mongo/client/sasl_client_authenticate_impl.cpp. The SCRAM client-final message contains the p=<client-proof> attribute alongside salt and iteration count.

This is a logging hygiene improvement:

• These messages emit only at network component verbosity >= 4, which is well above any default and is typically only enabled during deep auth or network debugging.
• The cleartext password is not present; only SCRAM-derived material, which is bounded by the configured iteration count and the difficulty of the underlying password.
• For internal cluster auth using a keyfile, the underlying secret is high-entropy random bytes, making offline analysis impractical.

Proposal: mask the p=... portion of the client-final SCRAM message before logging, preserving the rest (c=..., r=...) for diagnostic value. Same treatment could optionally be applied to the server-final v=... signature.

Locations:

• src/mongo/client/sasl_client_authenticate_impl.cpp – LOGV2_DEBUG(20197, ...) and LOGV2_DEBUG(20198, ...)