diff --git a/server/modules/authenticator/MySQLAuth/dbusers.c b/server/modules/authenticator/MySQLAuth/dbusers.c
index 2b5f12f61..d31bfa016 100644
--- a/server/modules/authenticator/MySQLAuth/dbusers.c
+++ b/server/modules/authenticator/MySQLAuth/dbusers.c
@@ -220,7 +220,7 @@ static bool check_password(const char *output, uint8_t *token, size_t token_len,
 
     /** Next, extract the SHA1 of the real password by XOR'ing it with
      * the output of the previous calculation */
-    uint8_t step2[SHA_DIGEST_LENGTH];
+    uint8_t step2[SHA_DIGEST_LENGTH] = {};
     gw_str_xor(step2, token, step1, token_len);
 
     /** The phase 2 scramble needs to be copied to the shared data structure as it