# Spring News Roundup: Point Releases of Boot, Security, Integration, Modulith and Spring AI 2.0 > Source: > Published: 2026-06-15 14:15:00+00:00 There was a flurry of activity in the Spring ecosystem during the week of June 8th, 2026, highlighting point releases of: Spring Boot, Spring Security, Spring Session, Spring Integration, Spring Modulith, Spring AMQP and Spring Vault; and GA releases of Spring AI 2.0 and Spring Data 2026.0.0. #### Spring Boot The [release](https://spring.io/blog/2026/06/10/spring-boot-4) of [Spring Boot](https://spring.io/projects/spring-boot) 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and new features such as: support for [Spring gRPC](https://spring.io/projects/spring-grpc); the addition of a public constructor to the class that accepts a string to describe the cause of the exception; and a reduction in memory consumption upon repeated calls the [InvalidConfigurationPropertyValueException](https://docs.spring.io/spring-boot/api/java/org/springframework/boot/context/properties/source/InvalidConfigurationPropertyValueException.html) **method defined in the** `toByteArray()` **interface. More details on this release may be found in the** [WritableJson](https://docs.spring.io/spring-boot/api/java/org/springframework/boot/json/WritableJson.html) [release notes](https://github.com/spring-projects/spring-boot/releases/tag/v4.1.0)and this InfoQ [news story](https://infoq.com/news/2026/06/spring-boot-4-1). #### Spring Data The [release](https://spring.io/blog/2026/06/09/spring-data-2026-0-0-generally-available) of [Spring Data](https://spring.io/projects/spring-data) 2026.0.0 ships with new features such as: compatibility with [Kotlin](https://kotlinlang.org/) 2.3.20 and [Vavr](https://vavr.io/) 0.11.0; new annotated Redis [publish/subscribe](https://github.com/spring-projects/spring-data-examples/blob/083ff1c38c9c77339828accf106f2c8f4b8bb511/redis/pubsub-listener/README.md) message listeners; and type-safe property paths. Further details on this release may be found in the [wiki](https://github.com/spring-projects/spring-data-commons/wiki/Spring-Data-2026.0-Release-Notes) page. #### Spring Security The [release](https://spring.io/blog/2026/06/09/spring-security-releases-2026-06) of [Spring Security](https://spring.io/projects/spring-security) 7.1.0 provides bug fixes, dependency upgrades and new features such as: a new functional interface that may be used as an assignment target for a lambda expression or method reference; and a new [InetAddressMatcher](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/util/matcher/InetAddressMatcher.html) **method, added to the** `anyOf()` **class, that returns an instance of the** [AllRequiredFactorsAuthorizationManager](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.html) **interface to grant access to a user who satisfies one of several different combinations of authentication factors. More details on this release may be found in the** [AuthorizationManager](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/authorization/AuthorizationManager.html) [release notes](https://github.com/spring-projects/spring-security/releases/tag/7.1.0)and this [what's new](https://docs.spring.io/spring-security/reference/whats-new.html)page. #### Spring Session The [release](https://spring.io/blog/2026/06/09/spring-session-releases-2026-06) of [Spring Session](https://spring.io/projects/spring-session) 4.1.0 delivers bug fixes and notable dependency upgrades such as: Spring Boot 4.1.0; Spring Security 7.1.0; Spring Framework 7.0.8; Spring Data 2025.1.6; Project Reactor 2025.0.6; Jackson 3.1.4; and Testcontainers 2.0.5. Further details on this release may be found in the [release notes](https://github.com/spring-projects/spring-session/releases/tag/4.1.0). #### Spring Integration The [release](https://spring.io/blog/2026/06/10/spring-integration-7-1-0-released) of [Spring Integration](https://spring.io/projects/spring-integration) 7.1.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: disable the ** allowCredentials** element in the Spring Framework **annotation in favor of the** [@CrossOrigin](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html) **element to align with** `originPatterns` [Spring MVC](https://docs.spring.io/spring-framework/reference/web/webmvc.html); and improvements in the constructors for the **class that removes the exception handling in favor of the the Spring Framework** [ExpressionEvaluatingMessageProcessor](https://docs.spring.io/spring-integration/docs/7.1.0/api/org/springframework/integration/handler/ExpressionEvaluatingMessageProcessor.html) **class. More details on this release may be found in the** [Assert](https://docs.spring.io/spring-framework/docs/7.0.8/javadoc-api/org/springframework/util/Assert.html) [release notes](https://github.com/spring-projects/spring-integration/releases/tag/v7.1.0)and this [what's new](https://docs.spring.io/spring-integration/reference/whats-new.html)page. #### Spring HATEOAS The [release](https://spring.io/blog/2026/06/08/spring-hateoas-3-1-GA-3-0-7-and-2-5-3-released) of [Spring HATEOAS](https://spring.io/projects/spring-hateoas) 3.1.0 provides bug fixes, dependency upgrades and new features such as: improved caching in the class such that the cache does not grow beyond 256 entries; and changes to the [StringLinkRelation](https://github.com/spring-projects/spring-hateoas/blob/main/src/main/java/org/springframework/hateoas/StringLinkRelation.java) **method, defined in the** `canWrite()` **class, that aligns with the same method name defined in the Spring Framework** [TypeConstrainedJacksonJsonHttpMessageConverter](https://github.com/spring-projects/spring-hateoas/blob/main/src/main/java/org/springframework/hateoas/server/mvc/TypeConstrainedJacksonJsonHttpMessageConverter.java) **class.** [AbstractSmartHttpMessageConverter](https://docs.spring.io/spring-framework/docs/7.0.8/javadoc-api/org/springframework/http/converter/AbstractSmartHttpMessageConverter.html) This releases also addresses two CVEs: [CVE-2026-41006](https://spring.io/security/cve-2026-41006), a vulnerability that exposes a security-sensitive property due to a bypass of the Jackson access-control annotations.[CVE-2026-41007](https://spring.io/security/cve-2026-41007), a vulnerability that allows an attacker to supply their own malicious hypermedia due to an unbounded static cache of the aforementionedclass.`StringLinkRelation` Further details on this release may be found in the [release notes](https://github.com/spring-projects/spring-hateoas/releases/tag/3.1.0). #### Spring Modulith The [release](https://spring.io/blog/2026/06/11/spring-modulith-2-1-ga-2-0-7-and-1-4-12-released) of [Spring Modulith](https://spring.io/projects/spring-modulith) 2.1.0 delivers bug fixes, dependency upgrades and new features such as: a new set of classes, like , to support event outbox engine with [NamastackOutboxEventRecorder](https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/events/namastack/NamastackOutboxEventRecorder.html) [Namastack](https://github.com/namastack); a new **class to support event externalization with** [JobRunrEventExternalizer](https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/events/jobrunr/JobRunrEventExternalizer.html) [JobRunr](https://www.jobrunr.io/en/); and a new **annotation that allows for application module slicing in combination with the Spring Boot slice test annotations. More details on this release may be found in the** [@ModuleSlicing](https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/test/ModuleSlicing.html) [release notes](https://github.com/spring-projects/spring-modulith/releases/tag/2.1.0). #### Spring AI The [release](https://spring.io/blog/2026/06/12/spring-ai-2-0-0-GA-available-now) of [Spring AI](https://spring.io/projects/spring-ai) 2.0.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: updates in the Google GenAI models, defined in the enum class, that include deprecations of the [GoogleGenAiChatModel.ChatModel](https://docs.spring.io/spring-ai/docs/2.0.0/api/org/springframework/ai/google/genai/GoogleGenAiChatModel.ChatModel.html) **,** `GEMINI_2_0_FLASH` **and** `GEMINI_2_0_FLASH_LIGHT` **enumerations in favor of a new** `GEMINI_3_PRO_PREVIEW` **enumeration; and improved null safety in the** `GEMINI_3_1_PRO_PREVIEW` **package by replacing the deprecated methods defined in the Jackson Databind** [org.springframework.ai.image.observation](https://github.com/spring-projects/spring-ai/tree/main/spring-ai-model/src/main/java/org/springframework/ai/image/observation) **abstract class. Further details on this release may be found in the** [JsonNode](https://github.com/FasterXML/jackson-databind/blob/3.x/src/main/java/tools/jackson/databind/JsonNode.java) [release notes](https://github.com/spring-projects/spring-ai/releases/tag/v2.0.0). #### Spring AMQP The [release](https://spring.io/blog/2026/06/09/spring-amqp-4-1-0-available) of [Spring AMQP](https://spring.io/projects/spring-amqp) 4.1.0 provides bug fixes, dependency upgrades and new features such as: compatibility with [RabbitMQ](https://www.rabbitmq.com/) 4.3.0; a removal of the wildcard character from all Jackson message converters to "*trust no one*" by default; and a new ** spring-amqp-client** module that supports interaction with the generic [AMQP 1.0](https://www.oasis-open.org/standard/amqp/)protocol. More details on this release may be found in the [release notes](https://github.com/spring-projects/spring-amqp/releases/tag/v4.1.0)and this [what's new](https://docs.spring.io/spring-amqp/reference/whats-new.html)page. #### Spring for Apache Kafka The [release](https://spring.io/blog/2026/06/09/spring-kafka-4) of [Spring for Apache Kafka](https://spring.io/projects/spring-kafka) 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and a new feature that adapts the ** setBackOffFunction()**, defined in the **class, to process messages in batches.** [FailedRecordProcessor](https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/listener/FailedRecordProcessor.html) This release also addresses three CVEs: [CVE-2026-41726](https://spring.io/security/cve-2026-41726), a vulnerability that allows an attacker to send malicious selector headers due to an unbounded consumer heap causing GC thrashing and anexception.`OutOfMemoryError` [CVE-2026-41727](https://spring.io/security/cve-2026-41727), a vulnerability that allows an attacker to send a record with a maliciousheader to "`retry_topic-attempts` *supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.*" This could lead to an arbitrarily long pause that stalls a listener far beyond any intended retry window.[CVE-2026-41731](https://spring.io/security/cve-2026-41731), a vulnerability that allows an attacker to supply malicious header values to instances of theand deprecated[JsonKafkaHeaderMapper](https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/support/JsonKafkaHeaderMapper.html)classes against trusted packages, with an implicit trust of all of its subpackages, using a prefix check that caused the consumer to deserialize arbitrary JDK types.[DefaultKafkaHeaderMapper](https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/support/DefaultKafkaHeaderMapper.html) Further details on this release may be found in the [release notes](https://github.com/spring-projects/spring-kafka/releases/tag/v4.1.0). #### Spring LDAP The [release](https://spring.io/blog/2026/06/08/spring-ldap-releases-2026-06) of [Spring LDAP](https://spring.io/projects/spring-ldap) 4.1.0 ships with many dependency upgrades and a new feature that deprecates methods, ** toEntry()**, **,** `toObject()` **and** `toList()` **, in favor of new methods,** `toStream()` **,** `map()` **,** `single()` **,** `optional()` **and** `list()` **, added to the** `stream()` **interface.** [LdapClient](https://github.com/spring-projects/spring-ldap/blob/main/core/src/main/java/org/springframework/ldap/core/LdapClient.java) This release also addresses [CVE-2026-41720](https://spring.io/security/cve-2026-41720), a vulnerability that allows an attacker, with a valid username, to gain authorization by providing an empty or null password due to an implementation of the interface that does not reject such passwords. [DirContextAuthenticationStrategy](https://github.com/spring-projects/spring-ldap/blob/main/core/src/main/java/org/springframework/ldap/core/support/DirContextAuthenticationStrategy.java) More details on this release may be found in the [release notes](https://github.com/spring-projects/spring-ldap/releases/tag/4.1.0) and this [what's new](https://docs.spring.io/spring-ldap/reference/whats-new.html) page. #### Spring Vault The [release](https://spring.io/blog/2026/06/10/spring-vault-4-1-available) of [Spring Vault](https://spring.io/projects/spring-vault) 4.1.0 provides bug fixes, documentation improvements, dependency upgrades and new features such as: new interfaces, and [VaultClient](https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/VaultClient.html) **, designed to provide an "** [ReactiveVaultClient](https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/ReactiveVaultClient.html) *intermediate abstraction layer enforcing relative path handling at its core, preventing unintended absolute path usage*" when configured with an instance of the **class; and a new** [VaultEndpoint](https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/VaultEndpoint.html) **class to simplify consumption of managed secrets. Further details on this release may be found in the** [ManagedSecret](https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/core/lease/ManagedSecret.html) [release notes](https://github.com/spring-projects/spring-vault/releases/tag/4.1.0)and this [wiki](https://github.com/spring-projects/spring-vault/wiki/Spring-Vault-4.1-Release-Notes)page. #### Spring gRPC The [release](https://spring.io/blog/2026/06/10/spring-grpc-1-1-0-available-now) of [Spring gRPC](https://spring.io/projects/spring-grpc) 1.1.0 delivers bug fixes and notable changes such as: the ability to configure in-process channels by name within an application properties file; and the addition of annotation-based exception handling for gRPC services. More details on this release may be found in the [release notes](https://github.com/spring-projects/spring-grpc/releases/tag/v1.1.0).