Spring Issues Security Updates Across Boot, Framework, Security, and Gateway
Spring published multiple security advisories covering several widely used components, including Spring Cloud Gateway, Spring Security, Spring Authorization Server, Spring Framework, and a critical update for Spring Boot. The Canadian Centre for Cyber Security said the advisories were released between April 9 and April 23 and identified affected version ranges across these product lines, with Spring Boot fixes specifically issued for the 4.0.x, 3.5.x, 3.4.x, 3.3.x, and 2.7.x release branches.
Canadian authorities urged organizations to review the referenced Spring advisories and apply the vendor updates for all impacted deployments. The notices describe the issue as a patching and vulnerability-management matter rather than confirmed active exploitation, but they emphasize that administrators should promptly update affected Spring environments to the patched versions listed by the vendor.
Timeline
Apr 23, 2026
Canadian Centre for Cyber Security issues Spring advisory AV26-386
On April 23, 2026, the Canadian Centre for Cyber Security published advisory AV26-386 highlighting Spring's new security advisories, including the critical Spring Boot update, and urged administrators to apply the fixes.
Apr 23, 2026
Spring publishes critical security update for Spring Boot
On April 23, 2026, Spring published security advisories that included a critical update for Spring Boot, identifying affected release lines and patched versions for 4.0.x, 3.5.x, 3.4.x, 3.3.x, and 2.7.x.
Apr 21, 2026
Canadian Centre for Cyber Security issues Spring advisory AV26-373
On April 21, 2026, the Canadian Centre for Cyber Security published advisory AV26-373 summarizing Spring's recent vulnerability advisories and urging users and administrators to review them and apply necessary updates.
Apr 9, 2026
Spring publishes multiple security advisories for core products
Between April 9 and April 21, 2026, Spring issued multiple security advisories covering vulnerabilities in Spring Cloud Gateway, Spring Security, Spring Authorization Server, and Spring Framework. The advisories identified affected version ranges and provided updates for impacted users.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Spring fixes TLS hostname verification flaws and DevTools timing attack issue
Spring published advisories for four vulnerabilities affecting its ecosystem, including three flaws in auto-configuration for **Elasticsearch**, **Cassandra**, and **RabbitMQ** that can disable TLS hostname verification when an SSL bundle is used. The issues are tracked as `CVE-2026-40970`, `CVE-2026-40974`, and `CVE-2026-40971`, respectively, and could weaken certificate validation for connections to those backend services. A fourth advisory, `CVE-2026-40972`, affects **Spring DevTools** and states that remote secret comparison is vulnerable to timing attacks. Together, the disclosures highlight risks in both transport security and authentication-related logic, with the TLS-related bugs potentially exposing applications to man-in-the-middle scenarios and the DevTools issue creating an avenue for attackers to infer secrets through response timing differences.
2 weeks ago
Spring discloses Spring AI injection flaw and Spring gRPC security context issues
Spring published three security advisories covering **Spring AI** and **Spring gRPC**, including `CVE-2026-40967`, a flaw in VectorStore `FilterExpressionConverter` implementations that can let attackers manipulate generated vector store queries because keys and values are not properly escaped. The issue affects Spring AI versions `1.0.0` through `1.0.5` and `1.1.0` through `1.1.4`, and is fixed in `1.0.6` and `1.1.5`. External vulnerability tracking describes the bug as a high-severity code or query injection risk with CVSS `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L` and maps it to `CWE-94`. Spring also disclosed two **Spring gRPC** vulnerabilities: `CVE-2026-40968`, in which `SecurityContext` data can leak across requests after an authorization failure, and `CVE-2026-40969`, where an `AuthenticationException` message may be reflected back to a remote client. Together, the advisories point to risks of query manipulation, cross-request security context exposure, and unintended error-message disclosure in applications built on affected Spring components.
1 weeks ago
Canadian Cyber Centre Advisories Highlight Linux Kernel and Other Vendor Patch Updates
The Canadian Centre for Cyber Security issued multiple advisories urging organizations to apply vendor patches released between **February 16–22, 2026**, including updates addressing **Linux kernel vulnerabilities** impacting **Ubuntu** (16.04 LTS through 25.10) and **Red Hat** platforms (including *RHEL* and related offerings). The advisories emphasize routine but potentially high-impact exposure from unpatched kernel flaws across widely deployed enterprise and server environments, and direct administrators to review upstream vendor notices and deploy the corresponding updates. Separate Cyber Centre advisories also flagged patch requirements outside the Linux kernel: Microsoft released an update for **Microsoft Edge Stable** to remediate vulnerabilities in versions prior to `145.0.3800.70`, IBM published security advisories covering multiple products (including *Aspera Enterprise WebApps*, *Cloud Pak System*, *Storage Defender*, and others), and CISA issued ICS advisories for vulnerabilities across several industrial and IoT/OT products (including **Delta Electronics**, **GE Vernova**, **Honeywell CCTV**, **Siemens Simcenter**, and others) with recommended mitigations and updates where available. A Linux 7.0 release-candidate feature article is not a security advisory and does not materially relate to the patch/vulnerability notices in the other items.
1 months ago