⚠️ Security Fixes
This maintenance release fixes a high number of CVEs, you can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:
- CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
- CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
- CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
- CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
- CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
- CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
- CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
- CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
- CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
- CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
- CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
- CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
- CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
- CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
- CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
- CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"
⭐ New Features
- Improve path pattern matching #36886
- Eagerly compute exit descriptors for negative literals #36887
- Expose
ClassLoaderfromDefaultDeserializer#36839 - Refine default view name resolution #36794
- Refine Jackson JMS converters #36792
- Improve ABNF rule checks in RfcUriParser #36788
- Detect custom deserialized
NullValueinstances inAbstractValueAdaptingCache#36728 - Warn against unsafe static resource locations in MVC and WebFlux #36693
- Consistent compatibility with Woodstox as an alternative to Xerces #36683
🐞 Bug Fixes
- Data is lost for joined DataBuffer in DataBufferUtils #36874
- CronExpression skips days on midnight DST gap #36873
- Concurrency issue against shared cookie field in
CookieLocaleResolver#setLocaleContext#36870 - Server Sent Event does not support multi-line comments #36867
- Regression in 6.2.0+:
ConfigurationClassParserincorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849 - Bean Background Bootstrap and Lazy Init #36847
- Fix JSP tag processing #36798
- Fix script processing capabilities #36796
- Parsing failure for MIME type with quoted parameter values #36734
- Circular dependency between supplier-created beans is silently ignored on startup #36732
- Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
- Regression on value class parameter handling #36720
- Cache collisions in CachingResourceResolver #36718
- Unexpected path element removal when resolving versioned resources #36699
📔 Documentation
- Fix broken links to Selenium documentation #36877
- Fix applicability note on setAutoGrowCollectionLimit #36864
- Javadoc of nestingLevel parameter in MethodParameter constructor is inconsistent with actual implementation #36848