Well, Debug mode shows all kind of interactions, from internal sql commands, to raw lines, verbose information, etc.
So when admin´s pass (md5 password) is read from database and decrypted to clear text....this processes is fully logged as well ....since thats debug mode for.
That´s why I don´t think this is bug; this is by design.
Moreover; anyone who can read the logs and the password (through web or ssh) , is administrator of the server.