🐛CF_TUNNEL_PASSWORD expose in stdout (docker log)

[salvq]

Describe the bug cloudflared binary/service outputs CF_TUNNEL_PASSWORD to stdout (docker log). Tunnel and connection works just fine, it is about credentials being shown in a log

Cloudflared binary is used as a part of LinuxServer.io docker container called docker-swag

According to information from member of LinuxServer.io link, cloudflared binary/service outputs CF_TUNNEL_PASSWORD to stdout (docker log).

To Reproduce

1. Use a https://github.com/linuxserver/docker-swag docker container with cloudflared tunnel setup (docker-compose,yaml shown below in Additional context)
2. Run docker-compose up
3. Logs and errors in Logs and errors section

Expected behavior No exposure of CF_TUNNEL_PASSWORD (or any credentials) in stdout (docker log)

Environment and versions

• OS: QNAP TS-264D, x86 platform
• Architecture: INTEL
• Version: 2025.05.0

Logs and errors

swaghome | - hostname: "url.url.url"
swaghome | service: https://url.url.url/
swaghome | originRequest:
swaghome | access:
swaghome | required: true
swaghome | teamName: 3243
swaghome | audTag:
swaghome | - 123124346556757586976886
swaghome | - service: http_status:404 CF_TUNNEL_NAME:asdsdaad CF_TUNNEL_PASSWORD:34566578667867978978658678
swaghome | FILE__CF_TUNNEL_CONFIG:/config/tunnelconfig.yml FILE__CF_TUNNEL_PASSWORD:/run/secrets/CF_TUNNEL_PASSWORD]
swaghome | 2025-05-29T19:04:23Z INF Generated Connector ID: 3453445533654645654645
swaghome | 2025-05-29T19:04:23Z INF Initial protocol quic
swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use 172.18.5.210 as source for IPv4
swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use 172.18.5.210 as source for IPv4
swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
swaghome | 2025-05-29T19:04:23Z INF Starting metrics server on 127.0.0.1:20241/metrics
swaghome | 2025-05-29T19:04:23Z INF Tunnel connection curve preferences: [CurveID(4588) CurveID(25497) CurveP256] connIndex=0 event=0 ip=1231231

Additional context docker-compose.yaml

version: "2.1" services: swag: image: lscr.io/linuxserver/swag:3.3.0-ls373 container_name: swaghome environment: - TZ=Europe/Prague - URL=url.url - VALIDATION=dns - SUBDOMAINS=wildcard - DNSPLUGIN=cloudflare - DOCKER_MODS=linuxserver/mods:universal-cloudflared-2025.5.0|linuxserver/mods:swag-cloudflare-real-ip - CF_TUNNEL_NAME=yourtunnel - FILE__CF_TUNNEL_PASSWORD=/run/secrets/CF_TUNNEL_PASSWORD - FILE__CF_TUNNEL_CONFIG=/config/tunnelconfig.yml - FILE__CF_ZONE_ID=/run/secrets/CF_ZONE_ID - FILE__CF_ACCOUNT_ID=/run/secrets/CF_ACCOUNT_ID - FILE__CF_API_TOKEN=/run/secrets/CF_API_TOKEN extra_hosts: - url.url.url:127.0.0.1 - acme-v02.api.letsencrypt.org:172.65.32.248 - api.cloudflare.com:104.19.192.29 volumes: - /etc/localtime:/etc/localtime:ro - /share/Container/swaghome:/config restart: unless-stopped secrets: - CF_TUNNEL_PASSWORD - CF_ZONE_ID - CF_ACCOUNT_ID - CF_API_TOKEN networks: ha_net: ipv4_address: 172.18.5.210 secrets: CF_TUNNEL_PASSWORD: file: /share/Container/secrets/swag/CF_TUNNEL_PASSWORD CF_ZONE_ID: file: /share/Container/secrets/swag/CF_ZONE_ID CF_ACCOUNT_ID: file: /share/Container/secrets/swag/CF_ACCOUNT_ID CF_API_TOKEN: file: /share/Container/secrets/swag/CF_API_TOKEN networks: ha_net: external: true