There was a flurry of activity in the Spring ecosystem during the week of June 8th, 2026, highlighting point releases of: Spring Boot, Spring Security, Spring Session, Spring Integration, Spring Modulith, Spring AMQP and Spring Vault; and GA releases of Spring AI 2.0 and Spring Data 2026.0.0.
Spring Boot
The release of Spring Boot 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and new features such as: support for Spring gRPC; the addition of a public constructor to the InvalidConfigurationPropertyValueException class that accepts a string to describe the cause of the exception; and a reduction in memory consumption upon repeated calls the toByteArray() method defined in the WritableJson interface. More details on this release may be found in the release notes and this InfoQ news story.
Spring Data
The release of Spring Data 2026.0.0 ships with new features such as: compatibility with Kotlin 2.3.20 and Vavr 0.11.0; new annotated Redis publish/subscribe message listeners; and type-safe property paths. Further details on this release may be found in the wiki page.
Spring Security
The release of Spring Security 7.1.0 provides bug fixes, dependency upgrades and new features such as: a new InetAddressMatcher functional interface that may be used as an assignment target for a lambda expression or method reference; and a new anyOf() method, added to the AllRequiredFactorsAuthorizationManager class, that returns an instance of the AuthorizationManager interface to grant access to a user who satisfies one of several different combinations of authentication factors. More details on this release may be found in the release notes and this what's new page.
Spring Session
The release of Spring Session 4.1.0 delivers bug fixes and notable dependency upgrades such as: Spring Boot 4.1.0; Spring Security 7.1.0; Spring Framework 7.0.8; Spring Data 2025.1.6; Project Reactor 2025.0.6; Jackson 3.1.4; and Testcontainers 2.0.5. Further details on this release may be found in the release notes.
Spring Integration
The release of Spring Integration 7.1.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: disable the allowCredentials element in the Spring Framework @CrossOrigin annotation in favor of the originPatterns element to align with Spring MVC; and improvements in the constructors for the ExpressionEvaluatingMessageProcessor class that removes the exception handling in favor of the the Spring Framework Assert class. More details on this release may be found in the release notes and this what's new page.
Spring HATEOAS
The release of Spring HATEOAS 3.1.0 provides bug fixes, dependency upgrades and new features such as: improved caching in the StringLinkRelation class such that the cache does not grow beyond 256 entries; and changes to the canWrite() method, defined in the TypeConstrainedJacksonJsonHttpMessageConverter class, that aligns with the same method name defined in the Spring Framework AbstractSmartHttpMessageConverter class.
This releases also addresses two CVEs:
- CVE-2026-41006, a vulnerability that exposes a security-sensitive property due to a bypass of the Jackson access-control annotations.
- CVE-2026-41007, a vulnerability that allows an attacker to supply their own malicious hypermedia due to an unbounded static cache of the aforementioned
StringLinkRelationclass.
Further details on this release may be found in the release notes.
Spring Modulith
The release of Spring Modulith 2.1.0 delivers bug fixes, dependency upgrades and new features such as: a new set of classes, like NamastackOutboxEventRecorder, to support event outbox engine with Namastack; a new JobRunrEventExternalizer class to support event externalization with JobRunr; and a new @ModuleSlicing annotation that allows for application module slicing in combination with the Spring Boot slice test annotations. More details on this release may be found in the release notes.
Spring AI
The release of Spring AI 2.0.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: updates in the Google GenAI models, defined in the GoogleGenAiChatModel.ChatModel enum class, that include deprecations of the GEMINI_2_0_FLASH, GEMINI_2_0_FLASH_LIGHT and GEMINI_3_PRO_PREVIEW enumerations in favor of a new GEMINI_3_1_PRO_PREVIEW enumeration; and improved null safety in the org.springframework.ai.image.observation package by replacing the deprecated methods defined in the Jackson Databind JsonNode abstract class. Further details on this release may be found in the release notes.
Spring AMQP
The release of Spring AMQP 4.1.0 provides bug fixes, dependency upgrades and new features such as: compatibility with RabbitMQ 4.3.0; a removal of the wildcard character from all Jackson message converters to "trust no one" by default; and a new spring-amqp-client module that supports interaction with the generic AMQP 1.0 protocol. More details on this release may be found in the release notes and this what's new page.
Spring for Apache Kafka
The release of Spring for Apache Kafka 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and a new feature that adapts the setBackOffFunction(), defined in the FailedRecordProcessor class, to process messages in batches.
This release also addresses three CVEs:
- CVE-2026-41726, a vulnerability that allows an attacker to send malicious selector headers due to an unbounded consumer heap causing GC thrashing and an
OutOfMemoryErrorexception. - CVE-2026-41727, a vulnerability that allows an attacker to send a record with a malicious
retry_topic-attemptsheader to "supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence." This could lead to an arbitrarily long pause that stalls a listener far beyond any intended retry window. - CVE-2026-41731, a vulnerability that allows an attacker to supply malicious header values to instances of the
JsonKafkaHeaderMapperand deprecatedDefaultKafkaHeaderMapperclasses against trusted packages, with an implicit trust of all of its subpackages, using a prefix check that caused the consumer to deserialize arbitrary JDK types.
Further details on this release may be found in the release notes.
Spring LDAP
The release of Spring LDAP 4.1.0 ships with many dependency upgrades and a new feature that deprecates methods, toEntry(), toObject(), toList() and toStream(), in favor of new methods, map(), single(), optional(), list() and stream(), added to the LdapClient interface.
This release also addresses CVE-2026-41720, a vulnerability that allows an attacker, with a valid username, to gain authorization by providing an empty or null password due to an implementation of the DirContextAuthenticationStrategy interface that does not reject such passwords.
More details on this release may be found in the release notes and this what's new page.
Spring Vault
The release of Spring Vault 4.1.0 provides bug fixes, documentation improvements, dependency upgrades and new features such as: new interfaces, VaultClient and ReactiveVaultClient, designed to provide an "intermediate abstraction layer enforcing relative path handling at its core, preventing unintended absolute path usage" when configured with an instance of the VaultEndpoint class; and a new ManagedSecret class to simplify consumption of managed secrets. Further details on this release may be found in the release notes and this wiki page.
Spring gRPC
The release of Spring gRPC 1.1.0 delivers bug fixes and notable changes such as: the ability to configure in-process channels by name within an application properties file; and the addition of annotation-based exception handling for gRPC services. More details on this release may be found in the release notes.