diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
index 498050711e2..426889d5aa0 100644
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -25,6 +25,8 @@
 
 > Users must be able to say: “I had this issue, happy to know it's fixed”
 
+- [Logs] Fix private data in API call: password now obfuscated (PR [#8019](https://github.com/vatesfr/xen-orchestra/pull/8019))
+
 ### Packages to release
 
 > When modifying a package, add it here with its release type.
diff --git a/packages/xo-server/src/xo-mixins/api.mjs b/packages/xo-server/src/xo-mixins/api.mjs
index 901c68d6400..d510d802130 100644
--- a/packages/xo-server/src/xo-mixins/api.mjs
+++ b/packages/xo-server/src/xo-mixins/api.mjs
@@ -386,10 +386,11 @@ export default class Api {
 
       const resolvedParams = await resolveParams.call(app, method, params)
 
+      // data.params contains obfuscated params
       let result = await (name in NO_LOG_METHODS
         ? method.call(app, resolvedParams)
         : app.tasks
-            .create({ name: 'API call: ' + name, method: name, params, type: 'api.call' }, { clearLogOnSuccess: true })
+            .create({ name: 'API call: ' + name, method: name, params: data.params, type: 'api.call' }, { clearLogOnSuccess: true })
             .run(() => method.call(app, resolvedParams)))
 
       // If nothing was returned, consider this operation a success