diff --git a/fireflyiii/CHANGELOG.md b/fireflyiii/CHANGELOG.md
index 05e7b8cdd..64b015523 100644
--- a/fireflyiii/CHANGELOG.md
+++ b/fireflyiii/CHANGELOG.md
@@ -1,6 +1,12 @@
 
+## 6.5.10 (2026-04-23)
+- Fix: use service discovery credentials for CREATE DATABASE bootstrap (prevents failure when user-specified credentials lack CREATE privilege)
+- Fix: validate DB_DATABASE name to prevent SQL injection in bootstrap SQL statement
+- Fix: DB_PASSWORD is no longer logged to addon logs
+
 ## 6.5.9 (2026-03-28)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
+- Fix: mariadb_addon now respects user-configured DB_USERNAME, DB_PASSWORD, and DB_DATABASE options instead of always using service discovery credentials
 
 ## 6.5.6 (2026-03-21)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
diff --git a/fireflyiii/README.md b/fireflyiii/README.md
index 9e474f69e..d467f9796 100644
--- a/fireflyiii/README.md
+++ b/fireflyiii/README.md
@@ -51,9 +51,9 @@ Configurations can be done through the app webUI, except for the following optio
 | `DB_CONNECTION` | list | `sqlite_internal` | Database type (sqlite_internal/mariadb_addon/mysql/pgsql) |
 | `DB_HOST` | str | | Database host (for external databases) |
 | `DB_PORT` | str | | Database port (for external databases) |
-| `DB_DATABASE` | str | | Database name (for external databases) |
-| `DB_USERNAME` | str | | Database username (for external databases) |
-| `DB_PASSWORD` | str | | Database password (for external databases) |
+| `DB_DATABASE` | str | | Database name (defaults to `firefly` for mariadb_addon) |
+| `DB_USERNAME` | str | | Database username (overrides MariaDB addon service discovery if set) |
+| `DB_PASSWORD` | str | | Database password (overrides MariaDB addon service discovery if set) |
 | `Updates` | list | | Automatic update schedule (hourly/daily/weekly) |
 | `silent` | bool | `true` | Silent mode - set to false for debug info |
 
diff --git a/fireflyiii/config.yaml b/fireflyiii/config.yaml
index f16e761fb..1ca3ffda3 100644
--- a/fireflyiii/config.yaml
+++ b/fireflyiii/config.yaml
@@ -104,5 +104,5 @@ slug: fireflyiii
 startup: services
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "6.5.9"
+version: "6.5.10"
 webui: "[PROTO:ssl]://[HOST]:[PORT:8080]"
diff --git a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
index a4639e637..d8be95a51 100755
--- a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
+++ b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
@@ -90,27 +90,52 @@ case $(bashio::config 'DB_CONNECTION') in
         DB_CONNECTION=mysql
         DB_HOST=$(bashio::services "mysql" "host")
         DB_PORT=$(bashio::services "mysql" "port")
-        DB_DATABASE=firefly
-        DB_USERNAME=$(bashio::services "mysql" "username")
-        DB_PASSWORD=$(bashio::services "mysql" "password")
+
+        # Always fetch service discovery credentials for bootstrap operations (CREATE DATABASE)
+        BOOTSTRAP_USERNAME=$(bashio::services "mysql" "username")
+        BOOTSTRAP_PASSWORD=$(bashio::services "mysql" "password")
+
+        # Use user-configured database name if provided, otherwise default to 'firefly'
+        if bashio::config.has_value "DB_DATABASE"; then
+            DB_DATABASE=$(bashio::config "DB_DATABASE")
+            # Validate: only allow alphanumeric, underscore, and dash
+            if [[ ! "$DB_DATABASE" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+                bashio::exit.nok "DB_DATABASE contains invalid characters. Only alphanumeric, underscore, and dash are allowed."
+            fi
+        else
+            DB_DATABASE=firefly
+        fi
+
+        # Use user-configured credentials if provided, otherwise use service discovery
+        if bashio::config.has_value "DB_USERNAME"; then
+            DB_USERNAME=$(bashio::config "DB_USERNAME")
+        else
+            DB_USERNAME=${BOOTSTRAP_USERNAME}
+        fi
+        if bashio::config.has_value "DB_PASSWORD"; then
+            DB_PASSWORD=$(bashio::config "DB_PASSWORD")
+        else
+            DB_PASSWORD=${BOOTSTRAP_PASSWORD}
+        fi
+
         export DB_CONNECTION
         export DB_HOST && bashio::log.blue "DB_HOST=$DB_HOST"
         export DB_PORT && bashio::log.blue "DB_PORT=$DB_PORT"
         export DB_DATABASE && bashio::log.blue "DB_DATABASE=$DB_DATABASE"
         export DB_USERNAME && bashio::log.blue "DB_USERNAME=$DB_USERNAME"
-        export DB_PASSWORD && bashio::log.blue "DB_PASSWORD=$DB_PASSWORD"
+        export DB_PASSWORD  # do not log password
 
         bashio::log.warning "Firefly-iii is using the Maria DB addon"
         bashio::log.warning "Please ensure this is included in your backups"
         bashio::log.warning "Uninstalling the MariaDB addon will remove any data"
 
         bashio::log.info "Creating database for Firefly-iii if required"
-        # Create database without SSL requirement
+        # Create database using service discovery credentials which have CREATE privilege
         mysql \
             --skip-ssl \
-            -u "${DB_USERNAME}" -p"${DB_PASSWORD}" \
+            -u "${BOOTSTRAP_USERNAME}" -p"${BOOTSTRAP_PASSWORD}" \
             -h "${DB_HOST}" -P "${DB_PORT}" \
-            -e "CREATE DATABASE IF NOT EXISTS \`firefly\`;"
+            -e "CREATE DATABASE IF NOT EXISTS \`${DB_DATABASE}\`;"
         ;;
 
         # Use remote