Spring Issues Security Updates Across Boot, Framework, Security, and Gateway
Spring published multiple security advisories covering several widely used components, including Spring Cloud Gateway, Spring Security, Spring Authorization Server, Spring Framework, and a critical update for Spring Boot. The Canadian Centre for Cyber Security said the advisories were released between April 9 and April 23 and identified affected version ranges across these product lines, with Spring Boot fixes specifically issued for the 4.0.x, 3.5.x, 3.4.x, 3.3.x, and 2.7.x release branches.
Canadian authorities urged organizations to review the referenced Spring advisories and apply the vendor updates for all impacted deployments. The notices describe the issue as a patching and vulnerability-management matter rather than confirmed active exploitation, but they emphasize that administrators should promptly update affected Spring environments to the patched versions listed by the vendor.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues Spring advisory AV26-386
On April 23, 2026, the Canadian Centre for Cyber Security published advisory AV26-386 highlighting Spring's new security advisories, including the critical Spring Boot update, and urged administrators to apply the fixes.
Spring publishes critical security update for Spring Boot
On April 23, 2026, Spring published security advisories that included a critical update for Spring Boot, identifying affected release lines and patched versions for 4.0.x, 3.5.x, 3.4.x, 3.3.x, and 2.7.x.
Canadian Centre for Cyber Security issues Spring advisory AV26-373
On April 21, 2026, the Canadian Centre for Cyber Security published advisory AV26-373 summarizing Spring's recent vulnerability advisories and urging users and administrators to review them and apply necessary updates.
Spring publishes multiple security advisories for core products
Between April 9 and April 21, 2026, Spring issued multiple security advisories covering vulnerabilities in Spring Cloud Gateway, Spring Security, Spring Authorization Server, and Spring Framework. The advisories identified affected version ranges and provided updates for impacted users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Warning: Multiple vulnerabilities in Spring Boot. Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceSpring security advisory (AV26-386) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSpring security advisory (AV26-373) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Spring Cloud Config and Spring AI Flaws Expose Systems to RCE and SSRF
The Canadian Centre for Cyber Security issued advisory **AV26-288** warning that multiple vulnerabilities disclosed by Spring affect **Spring Cloud Config** and **Spring AI**, including **server-side request forgery (SSRF)**, unintended file access, query injection, and a **SpEL injection** that can lead to **remote code execution (RCE)**. The notice says the issues were disclosed by Spring between March 23 and 26 and urged organizations to review the vendor advisories and assess exposure in affected deployments. Affected versions include **Spring Cloud Config** releases prior to **3.1.3**, **4.1.9**, **4.2.6**, **4.3.2**, and **5.0.2**, along with **Spring AI** versions prior to **1.0.5** and **1.1.4**. The Cyber Centre advised administrators and users to apply the relevant updates to reduce the risk of exploitation against exposed services and vulnerable application environments.
May 25, 2026
Spring patches LDAP auth bypass and multiple DoS flaws across Framework and Data
Spring disclosed a broad set of vulnerabilities across **Spring Framework**, **Spring Data Commons**, and **Spring LDAP**, including a high-severity authentication bypass tracked as `CVE-2026-41720`. The LDAP flaw allows login with a valid username and an empty or null password when the backing LDAP server permits unauthenticated binds, affecting authentication flows that use `AbstractContextSource`, `LdapTemplate`, or `LdapClient`. Spring also fixed a low-severity WebFlux session fixation issue (`CVE-2026-41839`) tied to compromised subdomains, and an information disclosure bug (`CVE-2026-41841`) in Spring MVC and WebFlux where shared static-resource caches could expose protected files if a public resource with the same name had already been cached. Several denial-of-service issues were patched at the same time. In Spring Framework, `CVE-2026-41840` can leak memory through malicious multipart requests in WebFlux, while `CVE-2026-41842` can tie up HTTP connections through slow resolution of versioned file-system resources in Spring MVC or WebFlux. In Spring Data Commons, `CVE-2026-41695`, `CVE-2026-41711`, `CVE-2026-41716`, and `CVE-2026-41721` can be triggered by attacker-controlled property paths, sort parameters, property names, or `@ProjectedPayload` data binding, leading to stack overflows, heap exhaustion, or excessive memory allocation when applications expose those inputs to untrusted users. Spring urged customers to upgrade to fixed releases, including Framework `7.0.8`, `6.2.19`, and `6.1.28`, Data Commons `4.0.6` and `3.5.12`, and LDAP `2.4.5`, `3.2.18`, `3.3.8`, or `4.0.4`, with some older branches receiving fixes only through commercial support.
Jun 11, 2026
Spring fixes TLS hostname verification flaws and DevTools timing attack issue
Spring published advisories for four vulnerabilities affecting its ecosystem, including three flaws in auto-configuration for **Elasticsearch**, **Cassandra**, and **RabbitMQ** that can disable TLS hostname verification when an SSL bundle is used. The issues are tracked as `CVE-2026-40970`, `CVE-2026-40974`, and `CVE-2026-40971`, respectively, and could weaken certificate validation for connections to those backend services. A fourth advisory, `CVE-2026-40972`, affects **Spring DevTools** and states that remote secret comparison is vulnerable to timing attacks. Together, the disclosures highlight risks in both transport security and authentication-related logic, with the TLS-related bugs potentially exposing applications to man-in-the-middle scenarios and the DevTools issue creating an avenue for attackers to infer secrets through response timing differences.
May 24, 2026