The /api/create endpoint accepted negative expire query values. For the memory storage backend, negative values were passed to secret creation as a negative duration and treated as no expiry, allowing callers to create secrets that persisted longer than intended.

Unauthenticated users could bypass configured retention expectations for secrets they create by sending POST /api/create?expire=-1.

This does not allow reading or modifying secrets created by other users. Secrets remain one-time-read and, in the normal web flow, client-side encrypted.

Versions up to and including v1.21.4 are affected.

Fixed in v1.21.5.

Disable expiry overrides via disableExpiryOverride: true until upgrading.

Reported by Chai Cheng Xun via email.