Spring News Roundup: Point Releases of Boot, Security, Integration, Modulith and Spring AI 2.0

2026-06-15 · Source: InfoQ · Field: Technology & Digital — Software Development & Engineering, Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Intermediate, medium

Summary

The Spring ecosystem saw significant activity during the week of June 8th, 2026, with numerous point and GA releases. Spring Boot 4.1.0 introduced Spring gRPC support and memory consumption reductions. Spring Data 2026.0.0 achieved GA, adding Kotlin 2.3.20 and Vavr 0.11.0 compatibility. Spring Security 7.1.0 enhanced authorization with InetAddressMatcher and anyOf() methods. Spring HATEOAS 3.1.0 improved caching and addressed CVE-2026-41006 and CVE-2026-41007, related to Jackson access control and unbounded caches. Spring AI 2.0.0 reached GA, updating Google GenAI models and improving null safety. Spring for Apache Kafka 4.1.0 adapted batch processing and fixed three CVEs, including CVE-2026-41726 for unbounded consumer heap and CVE-2026-41731 for malicious header deserialization. Spring LDAP 4.1.0 addressed CVE-2026-41720, preventing authorization bypass with empty passwords. Other updates included Spring Session 4.1.0, Spring Integration 7.1.0, Spring Modulith 2.1.0, Spring AMQP 4.1.0, Spring Vault 4.1.0, and Spring gRPC 1.1.0, all delivering bug fixes, dependency upgrades, and new features.

Key takeaway

For MLOps Engineers and Software Engineers managing Spring applications, promptly review and apply the latest point releases. Upgrading Spring HATEOAS to 3.1.0 and Spring for Apache Kafka to 4.1.0 is critical to mitigate recently identified CVEs, including those related to Jackson access control and malicious header deserialization. Additionally, ensure Spring LDAP 4.1.0 is implemented to prevent authorization bypass vulnerabilities. These updates enhance security, improve compatibility, and introduce new features like Spring AI 2.0.0's Google GenAI model updates, which you should integrate for advanced AI capabilities.

Key insights

Spring ecosystem components received numerous updates, focusing on security, compatibility, and new feature integrations.

Principles

• Continuous security patching is vital.
• Dependency alignment ensures stability.
• API evolution improves usability.

In practice

• Update Spring HATEOAS to 3.1.0 for CVE fixes.
• Upgrade Spring for Apache Kafka to 4.1.0 for security patches.
• Review Spring LDAP 4.1.0 changes to prevent auth bypass.

Topics

• Spring Framework
• Spring Boot
• Spring Security
• Spring AI
• Apache Kafka
• CVEs
• Dependency Management

Code references

• spring-projects/spring-boot
• spring-projects/spring-data-examples
• spring-projects/spring-data-commons
• spring-projects/spring-security
• spring-projects/spring-session

Best for: CTO, VP of Engineering/Data, AI Architect, Software Engineer, AI Engineer, MLOps Engineer

Related on AIssential

• Java News Roundup: GraalVM, Spring AI, JobRunr, GlassFish, Grails, Groovy, Quarkus Agent MCP — Java ecosystem components are rapidly evolving, with significant updates in concurrency, AI integration, and security.
• Spring AI SDK for Amazon Bedrock AgentCore is now Generally Available — The Spring AI AgentCore SDK simplifies building and deploying scalable, production-ready AI agents on Amazon Bedrock AgentCore using familiar Spring patterns.
• Java News Roundup: OpenJDK JEPs, Hazelcast, Quarkus, Hibernate, Koog, JHipster, Introducing Endive — The Java ecosystem is rapidly evolving with new JDK features, AI integration, and improved developer tooling.
• Kimi K2.6, GPT 5.5, Deepseek V4, Codex Superapp, Gemini 3.5, Grok 5 = AGI, & More! Huge AI NEWS! — The AI landscape is rapidly advancing with new models, enhanced agentic capabilities, and increased efficiency across both open-source and proprietary platforms.
• Securing the Distributed Ecosystem: A Deep Dive into Spring Security and Stateless JWT — Proper Spring Boot API security requires intentional design using BCrypt for passwords and stateless JWTs with custom validation.
• From Tool Calling to MCP: Building a Natural Language Search with Spring AI and MCP Server — MCP standardizes AI model communication with external tools, enabling reusability and independent deployment.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.