Spring News Roundup: Point Releases of Boot, Security, Integration, Modulith and Spring AI 2.0

Spring ecosystem saw multiple point releases during the week of June 8, 2026, including Spring Boot 4.1.0, Spring Security 7.1.0, and Spring AI 2.0 GA, delivering bug fixes, dependency upgrades, and new features such as Spring gRPC support and Kotlin 2.3.20 compatibility.

There was a flurry of activity in the Spring ecosystem during the week of June 8th, 2026, highlighting point releases of: Spring Boot, Spring Security, Spring Session, Spring Integration, Spring Modulith, Spring AMQP and Spring Vault; and GA releases of Spring AI 2.0 and Spring Data 2026.0.0. Spring Boot The release https://spring.io/blog/2026/06/10/spring-boot-4 of Spring Boot https://spring.io/projects/spring-boot 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and new features such as: support for Spring gRPC https://spring.io/projects/spring-grpc ; the addition of a public constructor to the class that accepts a string to describe the cause of the exception; and a reduction in memory consumption upon repeated calls the InvalidConfigurationPropertyValueException https://docs.spring.io/spring-boot/api/java/org/springframework/boot/context/properties/source/InvalidConfigurationPropertyValueException.html method defined in the toByteArray interface. More details on this release may be found in the WritableJson https://docs.spring.io/spring-boot/api/java/org/springframework/boot/json/WritableJson.html release notes https://github.com/spring-projects/spring-boot/releases/tag/v4.1.0 and this InfoQ news story https://infoq.com/news/2026/06/spring-boot-4-1 . Spring Data The release https://spring.io/blog/2026/06/09/spring-data-2026-0-0-generally-available of Spring Data https://spring.io/projects/spring-data 2026.0.0 ships with new features such as: compatibility with Kotlin https://kotlinlang.org/ 2.3.20 and Vavr https://vavr.io/ 0.11.0; new annotated Redis publish/subscribe https://github.com/spring-projects/spring-data-examples/blob/083ff1c38c9c77339828accf106f2c8f4b8bb511/redis/pubsub-listener/README.md message listeners; and type-safe property paths. Further details on this release may be found in the wiki https://github.com/spring-projects/spring-data-commons/wiki/Spring-Data-2026.0-Release-Notes page. Spring Security The release https://spring.io/blog/2026/06/09/spring-security-releases-2026-06 of Spring Security https://spring.io/projects/spring-security 7.1.0 provides bug fixes, dependency upgrades and new features such as: a new functional interface that may be used as an assignment target for a lambda expression or method reference; and a new InetAddressMatcher https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/util/matcher/InetAddressMatcher.html method, added to the anyOf class, that returns an instance of the AllRequiredFactorsAuthorizationManager https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.html interface to grant access to a user who satisfies one of several different combinations of authentication factors. More details on this release may be found in the AuthorizationManager https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/authorization/AuthorizationManager.html release notes https://github.com/spring-projects/spring-security/releases/tag/7.1.0 and this what's new https://docs.spring.io/spring-security/reference/whats-new.html page. Spring Session The release https://spring.io/blog/2026/06/09/spring-session-releases-2026-06 of Spring Session https://spring.io/projects/spring-session 4.1.0 delivers bug fixes and notable dependency upgrades such as: Spring Boot 4.1.0; Spring Security 7.1.0; Spring Framework 7.0.8; Spring Data 2025.1.6; Project Reactor 2025.0.6; Jackson 3.1.4; and Testcontainers 2.0.5. Further details on this release may be found in the release notes https://github.com/spring-projects/spring-session/releases/tag/4.1.0 . Spring Integration The release https://spring.io/blog/2026/06/10/spring-integration-7-1-0-released of Spring Integration https://spring.io/projects/spring-integration 7.1.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: disable the allowCredentials element in the Spring Framework annotation in favor of the @CrossOrigin https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html element to align with originPatterns Spring MVC https://docs.spring.io/spring-framework/reference/web/webmvc.html ; and improvements in the constructors for the class that removes the exception handling in favor of the the Spring Framework ExpressionEvaluatingMessageProcessor https://docs.spring.io/spring-integration/docs/7.1.0/api/org/springframework/integration/handler/ExpressionEvaluatingMessageProcessor.html class. More details on this release may be found in the Assert https://docs.spring.io/spring-framework/docs/7.0.8/javadoc-api/org/springframework/util/Assert.html release notes https://github.com/spring-projects/spring-integration/releases/tag/v7.1.0 and this what's new https://docs.spring.io/spring-integration/reference/whats-new.html page. Spring HATEOAS The release https://spring.io/blog/2026/06/08/spring-hateoas-3-1-GA-3-0-7-and-2-5-3-released of Spring HATEOAS https://spring.io/projects/spring-hateoas 3.1.0 provides bug fixes, dependency upgrades and new features such as: improved caching in the class such that the cache does not grow beyond 256 entries; and changes to the StringLinkRelation https://github.com/spring-projects/spring-hateoas/blob/main/src/main/java/org/springframework/hateoas/StringLinkRelation.java method, defined in the canWrite class, that aligns with the same method name defined in the Spring Framework TypeConstrainedJacksonJsonHttpMessageConverter https://github.com/spring-projects/spring-hateoas/blob/main/src/main/java/org/springframework/hateoas/server/mvc/TypeConstrainedJacksonJsonHttpMessageConverter.java class. AbstractSmartHttpMessageConverter https://docs.spring.io/spring-framework/docs/7.0.8/javadoc-api/org/springframework/http/converter/AbstractSmartHttpMessageConverter.html This releases also addresses two CVEs: CVE-2026-41006 https://spring.io/security/cve-2026-41006 , a vulnerability that exposes a security-sensitive property due to a bypass of the Jackson access-control annotations. CVE-2026-41007 https://spring.io/security/cve-2026-41007 , a vulnerability that allows an attacker to supply their own malicious hypermedia due to an unbounded static cache of the aforementionedclass. StringLinkRelation Further details on this release may be found in the release notes https://github.com/spring-projects/spring-hateoas/releases/tag/3.1.0 . Spring Modulith The release https://spring.io/blog/2026/06/11/spring-modulith-2-1-ga-2-0-7-and-1-4-12-released of Spring Modulith https://spring.io/projects/spring-modulith 2.1.0 delivers bug fixes, dependency upgrades and new features such as: a new set of classes, like , to support event outbox engine with NamastackOutboxEventRecorder https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/events/namastack/NamastackOutboxEventRecorder.html Namastack https://github.com/namastack ; a new class to support event externalization with JobRunrEventExternalizer https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/events/jobrunr/JobRunrEventExternalizer.html JobRunr https://www.jobrunr.io/en/ ; and a new annotation that allows for application module slicing in combination with the Spring Boot slice test annotations. More details on this release may be found in the @ModuleSlicing https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/test/ModuleSlicing.html release notes https://github.com/spring-projects/spring-modulith/releases/tag/2.1.0 . Spring AI The release https://spring.io/blog/2026/06/12/spring-ai-2-0-0-GA-available-now of Spring AI https://spring.io/projects/spring-ai 2.0.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: updates in the Google GenAI models, defined in the enum class, that include deprecations of the GoogleGenAiChatModel.ChatModel https://docs.spring.io/spring-ai/docs/2.0.0/api/org/springframework/ai/google/genai/GoogleGenAiChatModel.ChatModel.html , GEMINI 2 0 FLASH and GEMINI 2 0 FLASH LIGHT enumerations in favor of a new GEMINI 3 PRO PREVIEW enumeration; and improved null safety in the GEMINI 3 1 PRO PREVIEW package by replacing the deprecated methods defined in the Jackson Databind org.springframework.ai.image.observation https://github.com/spring-projects/spring-ai/tree/main/spring-ai-model/src/main/java/org/springframework/ai/image/observation abstract class. Further details on this release may be found in the JsonNode https://github.com/FasterXML/jackson-databind/blob/3.x/src/main/java/tools/jackson/databind/JsonNode.java release notes https://github.com/spring-projects/spring-ai/releases/tag/v2.0.0 . Spring AMQP The release https://spring.io/blog/2026/06/09/spring-amqp-4-1-0-available of Spring AMQP https://spring.io/projects/spring-amqp 4.1.0 provides bug fixes, dependency upgrades and new features such as: compatibility with RabbitMQ https://www.rabbitmq.com/ 4.3.0; a removal of the wildcard character from all Jackson message converters to " trust no one " by default; and a new spring-amqp-client module that supports interaction with the generic AMQP 1.0 https://www.oasis-open.org/standard/amqp/ protocol. More details on this release may be found in the release notes https://github.com/spring-projects/spring-amqp/releases/tag/v4.1.0 and this what's new https://docs.spring.io/spring-amqp/reference/whats-new.html page. Spring for Apache Kafka The release https://spring.io/blog/2026/06/09/spring-kafka-4 of Spring for Apache Kafka https://spring.io/projects/spring-kafka 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and a new feature that adapts the setBackOffFunction , defined in the class, to process messages in batches. FailedRecordProcessor https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/listener/FailedRecordProcessor.html This release also addresses three CVEs: CVE-2026-41726 https://spring.io/security/cve-2026-41726 , a vulnerability that allows an attacker to send malicious selector headers due to an unbounded consumer heap causing GC thrashing and anexception. OutOfMemoryError CVE-2026-41727 https://spring.io/security/cve-2026-41727 , a vulnerability that allows an attacker to send a record with a maliciousheader to " retry topic-attempts supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. " This could lead to an arbitrarily long pause that stalls a listener far beyond any intended retry window. CVE-2026-41731 https://spring.io/security/cve-2026-41731 , a vulnerability that allows an attacker to supply malicious header values to instances of theand deprecated JsonKafkaHeaderMapper https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/support/JsonKafkaHeaderMapper.html classes against trusted packages, with an implicit trust of all of its subpackages, using a prefix check that caused the consumer to deserialize arbitrary JDK types. DefaultKafkaHeaderMapper https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/support/DefaultKafkaHeaderMapper.html Further details on this release may be found in the release notes https://github.com/spring-projects/spring-kafka/releases/tag/v4.1.0 . Spring LDAP The release https://spring.io/blog/2026/06/08/spring-ldap-releases-2026-06 of Spring LDAP https://spring.io/projects/spring-ldap 4.1.0 ships with many dependency upgrades and a new feature that deprecates methods, toEntry , , toObject and toList , in favor of new methods, toStream , map , single , optional and list , added to the stream interface. LdapClient https://github.com/spring-projects/spring-ldap/blob/main/core/src/main/java/org/springframework/ldap/core/LdapClient.java This release also addresses CVE-2026-41720 https://spring.io/security/cve-2026-41720 , a vulnerability that allows an attacker, with a valid username, to gain authorization by providing an empty or null password due to an implementation of the interface that does not reject such passwords. DirContextAuthenticationStrategy https://github.com/spring-projects/spring-ldap/blob/main/core/src/main/java/org/springframework/ldap/core/support/DirContextAuthenticationStrategy.java More details on this release may be found in the release notes https://github.com/spring-projects/spring-ldap/releases/tag/4.1.0 and this what's new https://docs.spring.io/spring-ldap/reference/whats-new.html page. Spring Vault The release https://spring.io/blog/2026/06/10/spring-vault-4-1-available of Spring Vault https://spring.io/projects/spring-vault 4.1.0 provides bug fixes, documentation improvements, dependency upgrades and new features such as: new interfaces, and VaultClient https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/VaultClient.html , designed to provide an " ReactiveVaultClient https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/ReactiveVaultClient.html intermediate abstraction layer enforcing relative path handling at its core, preventing unintended absolute path usage " when configured with an instance of the class; and a new VaultEndpoint https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/VaultEndpoint.html class to simplify consumption of managed secrets. Further details on this release may be found in the ManagedSecret https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/core/lease/ManagedSecret.html release notes https://github.com/spring-projects/spring-vault/releases/tag/4.1.0 and this wiki https://github.com/spring-projects/spring-vault/wiki/Spring-Vault-4.1-Release-Notes page. Spring gRPC The release https://spring.io/blog/2026/06/10/spring-grpc-1-1-0-available-now of Spring gRPC https://spring.io/projects/spring-grpc 1.1.0 delivers bug fixes and notable changes such as: the ability to configure in-process channels by name within an application properties file; and the addition of annotation-based exception handling for gRPC services. More details on this release may be found in the release notes https://github.com/spring-projects/spring-grpc/releases/tag/v1.1.0 .