plikshare

v1.1.26 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 22d File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

box-links collaboration external-uploads file-management file-sharing s3-storage

+4 more

secure-sharing self-hosted team-collaboration unlimited-users

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 13d

v1.1.26 removes plaintext invitation codes from queue job payloads, eliminating credential exposure in logs. The release adds shareable link invitations as an alternative to email delivery.

Why it matters: Plaintext credentials in queue systems expose through logs and monitoring tools. Update immediately if using cloud queues; migrate to shareable link invitations as the new delivery method.

Summary

AI summary

Plaintext invitation code no longer persists in queue job payloads, fixing a security vulnerability.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Email for full-encryption workspace invites is sent synchronously after DB commit Email for full-encryption workspace invites is sent synchronously after DB commit Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Security	Medium	Plaintext invitation code no longer persists in queue job payloads Plaintext invitation code no longer persists in queue job payloads Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Admin can invite users via shareable link instead of email Admin can invite users via shareable link instead of email Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

1.1.26

[FEATURE] Admin can invite users via a shareable link instead of email — useful when no email provider is configured, or when the admin prefers to deliver the invitation out-of-band
[SECURITY] Plaintext invitation code for full-encryption workspace invites no longer persists in queue job payloads — it doubles as the KEK for the invitee's ephemeral private-key wrap. Email is now sent synchronously after DB commit; on failure the staged rows are rolled back. Non-FE flows unchanged.

Full Changelog: https://github.com/damian-krychowski/plikshare/compare/v1.1.25...v1.1.26

Security Fixes

Plaintext invitation code for full‑encryption workspace invites no longer persists in queue job payloads; email now sent synchronously after DB commit with rollback on failure

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track plikshare

Get notified when new releases ship.

About plikshare

PlikShare - Self-hosted file sharing platform with unlimited users, flexible storage options (local disk or S3), and secure external collaboration features. Own your data, control your infrastructure.

All releases →