diff --git a/packages/data-service/src/connection-secrets.spec.ts b/packages/data-service/src/connection-secrets.spec.ts
index de831bef5d3..ec0778a7eed 100644
--- a/packages/data-service/src/connection-secrets.spec.ts
+++ b/packages/data-service/src/connection-secrets.spec.ts
@@ -65,6 +65,7 @@ describe('connection secrets', function () {
       const newConnectionInfo = mergeSecrets(originalConnectionInfo, {
         awsSessionToken: 'sessionToken',
         password: 'userPassword',
+        sshTunnelPassword: 'password',
         sshTunnelPassphrase: 'passphrase',
         tlsCertificateKeyFilePassword: 'tlsCertPassword',
         proxyPassword: 'bar',
@@ -81,6 +82,7 @@ describe('connection secrets', function () {
           sshTunnel: {
             host: 'localhost',
             username: 'user',
+            password: 'password',
             port: 22,
             identityKeyPassphrase: 'passphrase',
           },
@@ -141,6 +143,7 @@ describe('connection secrets', function () {
           sshTunnel: {
             host: 'localhost',
             username: 'user',
+            password: 'password',
             port: 22,
             identityKeyPassphrase: 'passphrase',
           },
@@ -166,6 +169,7 @@ describe('connection secrets', function () {
       expect(secrets).to.be.deep.equal({
         awsSessionToken: 'sessionToken',
         password: 'userPassword',
+        sshTunnelPassword: 'password',
         sshTunnelPassphrase: 'passphrase',
         tlsCertificateKeyFilePassword: 'tlsCertPassword',
         proxyPassword: 'bar',
diff --git a/packages/data-service/src/connection-secrets.ts b/packages/data-service/src/connection-secrets.ts
index 6aba25e9cc2..816309f6164 100644
--- a/packages/data-service/src/connection-secrets.ts
+++ b/packages/data-service/src/connection-secrets.ts
@@ -7,6 +7,7 @@ import type { MongoClientOptions, AuthMechanismProperties } from 'mongodb';
 
 export interface ConnectionSecrets {
   password?: string;
+  sshTunnelPassword?: string;
   sshTunnelPassphrase?: string;
   awsSessionToken?: string;
   tlsCertificateKeyFilePassword?: string;
@@ -35,6 +36,10 @@ export function mergeSecrets(
     uri.password = secrets.password;
   }
 
+  if (secrets.sshTunnelPassword && connectionOptions.sshTunnel) {
+    connectionOptions.sshTunnel.password = secrets.sshTunnelPassword;
+  }
+
   if (secrets.sshTunnelPassphrase && connectionOptions.sshTunnel) {
     connectionOptions.sshTunnel.identityKeyPassphrase =
       secrets.sshTunnelPassphrase;
@@ -89,6 +94,11 @@ export function extractSecrets(connectionInfo: Readonly<ConnectionInfo>): {
     uri.password = '';
   }
 
+  if (connectionOptions.sshTunnel?.password) {
+    secrets.sshTunnelPassword = connectionOptions.sshTunnel.password;
+    delete connectionOptions.sshTunnel.password;
+  }
+
   if (connectionOptions.sshTunnel?.identityKeyPassphrase) {
     secrets.sshTunnelPassphrase =
       connectionOptions.sshTunnel.identityKeyPassphrase;