opencloud

v7.0.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 13d File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Affected surfaces

rce_ssrf rbac breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 13d

Persist space memberships in the share manager and add a service user config to the sharing service while bumping reva.

Why it matters: Breaking changes require updating configurations before upgrading; test migrations in dev environments prior to production rollout.

Summary

AI summary

Broad release touches 🐛 Bug Fixes, 📦️ Dependencies, fix, and ✅ Tests.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Disallow thumbnails for TIFF and JPEG2000 images Disallow thumbnails for TIFF and JPEG2000 images Source: llm_adapter@2026-05-21 Confidence: low	—
Breaking	Medium	Persist space memberships in share manager Persist space memberships in share manager Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Add service user config to sharing service, bump reva Add service user config to sharing service, bump reva Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Populate driveItem.webUrl per Libre Graph specification Populate driveItem.webUrl per Libre Graph specification Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Bump dotenv-expand from 12.0.3 to 13.0.0 in IDP service Bump dotenv-expand from 12.0.3 to 13.0.0 in IDP service Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Stop re-escaping email variables for each notification recipient Stop re-escaping email variables for each notification recipient Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Remove unnecessary error log when OIDC token verify is none Remove unnecessary error log when OIDC token verify is none Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Register chi REPORT method in init to avoid race condition Register chi REPORT method in init to avoid race condition Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix force-rescan flag name in search documentation Fix force-rescan flag name in search documentation Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Update README with LDAP certificate configuration details Update README with LDAP certificate configuration details Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Drop duplicate service field from probe fallback debug log Drop duplicate service field from probe fallback debug log Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Remove registry lookup from CLI command execution Remove registry lookup from CLI command execution Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Use runner to start activitylog service correctly Use runner to start activitylog service correctly Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

7.0.0 - 2026-05-21

❤️ Thanks to all contributors! ❤️

@AlexAndBear, @SAY-5, @ScharfViktor, @Svanvith, @butonic, @dragonchaser, @dschmidt, @fschade, @micbar, @michaelstingl, @rhafer

💥 Breaking changes

Persist space memberships in share manager [#2760]
[feature/guest-links] bump reva, add service user config to "sharing" service [#2735]

🔒 Security

fix: disallow thumbnails for tiff and jpeg2000 images [#2758]

🐛 Bug Fixes

fix(notifications): don't re-escape email vars for each recipient [#2805]
fix: remove unnecessary error log it the oidc access token verify method is set to none [#2795]
fix(debug): drop duplicate service field from probe fallback log [#2786]
No registry lookup in cli [#2755]
fix(webdav): register chi REPORT method in init to avoid race with settings [#2712]
fix: use runner to start activitylog service [#2748]
docs(search): fix force-rescan flag name in README [#2747]

✅ Tests

[full-ci] preview-tests. update fixtures for different processors [#2767]
test: modify exclude list and add coverage upload [#2762]
fix: cleaner debounce timer test [#2743]

📚 Documentation

Update README with LDAP certificate details [#2759]

📈 Enhancement

feat(graph): populate driveItem.webUrl per Libre Graph spec [#2744]

📦️ Dependencies

build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 [#2798]
build(deps): bump golang.org/x/image from 0.38.0 to 0.40.0 [#2740]
build(deps): bump github.com/tidwall/gjson from 1.18.0 to 1.19.0 [#2750]
build(deps-dev): bump dotenv-expand from 12.0.3 to 13.0.0 in /services/idp [#2710]
build(deps): bump github.com/onsi/ginkgo/v2 from 2.28.1 to 2.28.3 [#2739]

Breaking Changes

Persist space memberships in share manager
[feature/guest-links] add service user config to "sharing" service

Security Fixes

disallow thumbnails for TIFF and JPEG2000 images

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track opencloud

Get notified when new releases ship.

About opencloud

OpenCloud is the open source platform for file management, sharing and collaboration. Simple and sovereign.

All releases →