There was a flurry of activity in the Spring ecosystem during the week of June 8th, 2026, highlighting point releases of: Spring Boot, Spring Security, Spring Session, Spring Integration, Spring Modulith, Spring AMQP and Spring Vault; and GA releases of Spring AI 2.0 and Spring Data 2026.0.0.
Spring Boot
The release of Spring Boot 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and new features such as: support for Spring gRPC; the addition of a public constructor to the class that accepts a string to describe the cause of the exception; and a reduction in memory consumption upon repeated calls the
InvalidConfigurationPropertyValueException
method defined in the
toByteArray()
interface. More details on this release may be found in the
[WritableJson](https://docs.spring.io/spring-boot/api/java/org/springframework/boot/json/WritableJson.html)
[release notes](https://github.com/spring-projects/spring-boot/releases/tag/v4.1.0)and this InfoQ
[news story](https://infoq.com/news/2026/06/spring-boot-4-1).
Spring Data
The release of Spring Data 2026.0.0 ships with new features such as: compatibility with Kotlin 2.3.20 and Vavr 0.11.0; new annotated Redis publish/subscribe message listeners; and type-safe property paths. Further details on this release may be found in the wiki page.
Spring Security
The release of Spring Security 7.1.0 provides bug fixes, dependency upgrades and new features such as: a new functional interface that may be used as an assignment target for a lambda expression or method reference; and a new
method, added to the
anyOf()
class, that returns an instance of the
AllRequiredFactorsAuthorizationManager
interface to grant access to a user who satisfies one of several different combinations of authentication factors. More details on this release may be found in the
[release notes](https://github.com/spring-projects/spring-security/releases/tag/7.1.0)and this
[what's new](https://docs.spring.io/spring-security/reference/whats-new.html)page.
Spring Session
The release of Spring Session 4.1.0 delivers bug fixes and notable dependency upgrades such as: Spring Boot 4.1.0; Spring Security 7.1.0; Spring Framework 7.0.8; Spring Data 2025.1.6; Project Reactor 2025.0.6; Jackson 3.1.4; and Testcontainers 2.0.5. Further details on this release may be found in the release notes.
Spring Integration
The release of Spring Integration 7.1.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: disable the ** allowCredentials** element in the Spring Framework
annotation in favor of the
@CrossOrigin element to align with
originPatterns
Spring MVC; and improvements in the constructors for the class that removes the exception handling in favor of the the Spring Framework
ExpressionEvaluatingMessageProcessor
class. More details on this release may be found in the
[Assert](https://docs.spring.io/spring-framework/docs/7.0.8/javadoc-api/org/springframework/util/Assert.html)
[release notes](https://github.com/spring-projects/spring-integration/releases/tag/v7.1.0)and this
[what's new](https://docs.spring.io/spring-integration/reference/whats-new.html)page.
Spring HATEOAS
The release of Spring HATEOAS 3.1.0 provides bug fixes, dependency upgrades and new features such as: improved caching in the class such that the cache does not grow beyond 256 entries; and changes to the
method, defined in the
canWrite()
class, that aligns with the same method name defined in the Spring Framework
TypeConstrainedJacksonJsonHttpMessageConverter
class.
AbstractSmartHttpMessageConverter
This releases also addresses two CVEs:
CVE-2026-41006, a vulnerability that exposes a security-sensitive property due to a bypass of the Jackson access-control annotations.CVE-2026-41007, a vulnerability that allows an attacker to supply their own malicious hypermedia due to an unbounded static cache of the aforementionedclass.StringLinkRelation
Further details on this release may be found in the release notes.
Spring Modulith
The release of Spring Modulith 2.1.0 delivers bug fixes, dependency upgrades and new features such as: a new set of classes, like , to support event outbox engine with
Namastack; a new class to support event externalization with
JobRunr; and a new annotation that allows for application module slicing in combination with the Spring Boot slice test annotations. More details on this release may be found in the
Spring AI
The release of Spring AI 2.0.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: updates in the Google GenAI models, defined in the enum class, that include deprecations of the
GoogleGenAiChatModel.ChatModel
,
GEMINI_2_0_FLASH
and
GEMINI_2_0_FLASH_LIGHT
enumerations in favor of a new
GEMINI_3_PRO_PREVIEW
enumeration; and improved null safety in the
GEMINI_3_1_PRO_PREVIEW
package by replacing the deprecated methods defined in the Jackson Databind
org.springframework.ai.image.observation abstract class. Further details on this release may be found in the
[JsonNode](https://github.com/FasterXML/jackson-databind/blob/3.x/src/main/java/tools/jackson/databind/JsonNode.java)
[release notes](https://github.com/spring-projects/spring-ai/releases/tag/v2.0.0).
Spring AMQP
The release of Spring AMQP 4.1.0 provides bug fixes, dependency upgrades and new features such as: compatibility with RabbitMQ 4.3.0; a removal of the wildcard character from all Jackson message converters to "trust no one" by default; and a new ** spring-amqp-client** module that supports interaction with the generic
[AMQP 1.0](https://www.oasis-open.org/standard/amqp/)protocol. More details on this release may be found in the
[release notes](https://github.com/spring-projects/spring-amqp/releases/tag/v4.1.0)and this
[what's new](https://docs.spring.io/spring-amqp/reference/whats-new.html)page.
Spring for Apache Kafka
The release of Spring for Apache Kafka 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and a new feature that adapts the ** setBackOffFunction()**, defined in the
class, to process messages in batches.
This release also addresses three CVEs:
CVE-2026-41726, a vulnerability that allows an attacker to send malicious selector headers due to an unbounded consumer heap causing GC thrashing and anexception.OutOfMemoryError
CVE-2026-41727, a vulnerability that allows an attacker to send a record with a maliciousheader to "retry_topic-attempts
supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence." This could lead to an arbitrarily long that stalls a listener far beyond any intended retry window.CVE-2026-41731, a vulnerability that allows an attacker to supply malicious header values to instances of theand deprecatedJsonKafkaHeaderMapperclasses against trusted packages, with an implicit trust of all of its subpackages, using a prefix check that caused the consumer to deserialize arbitrary JDK types.DefaultKafkaHeaderMapper
Further details on this release may be found in the release notes.
Spring LDAP
The release of Spring LDAP 4.1.0 ships with many dependency upgrades and a new feature that deprecates methods, ** toEntry()**,
,
toObject()
and
toList()
, in favor of new methods,
toStream()
,
map()
,
single()
,
optional()
and
list()
, added to the
stream()
interface.
LdapClient This release also addresses CVE-2026-41720, a vulnerability that allows an attacker, with a valid username, to gain authorization by providing an empty or null password due to an implementation of the interface that does not reject such passwords.
DirContextAuthenticationStrategy
More details on this release may be found in the release notes and this what's new page.
Spring Vault
The release of Spring Vault 4.1.0 provides bug fixes, documentation improvements, dependency upgrades and new features such as: new interfaces, and
VaultClient , designed to provide an "
intermediate abstraction layer enforcing relative path handling at its core, preventing unintended absolute path usage" when configured with an instance of the
class; and a new
VaultEndpoint class to simplify consumption of managed secrets. Further details on this release may be found in the
[release notes](https://github.com/spring-projects/spring-vault/releases/tag/4.1.0)and this
[wiki](https://github.com/spring-projects/spring-vault/wiki/Spring-Vault-4.1-Release-Notes)page.
Spring gRPC
The release of Spring gRPC 1.1.0 delivers bug fixes and notable changes such as: the ability to configure in-process channels by name within an application properties file; and the addition of annotation-based exception handling for gRPC services. More details on this release may be found in the release notes.