Spring Authorization Server 1.4.x Release Notes

3 versions

Comprehensive release notes and changelog for Spring Authorization Server 1.4.x, including security patches, bug fixes, and feature updates across all supported versions.

Apr 23, 2026

Latest: 1.4.11

3 Patched Vulnerabilities

VEX Statements

April 2026

1.4.11

Released Apr 23, 2026

CVE-2026-22752

Full Version:

1.4.8-spring-authorization-server-1.4.11

Bug Fixes

Patched the critical Spring Authorization Server authorization bypass in Dynamic Client Registration where insufficient validation of client metadata could allow an attacker with a valid Initial Access Token to register a malicious client, leading to stored XSS, privilege escalation, or SSRF (CVE-2026-22752).

Dependency Upgrades

Spring Security (NES) 6.4.13-spring-security-6.4.16

March 2026

1.4.10

Released Mar 25, 2026

Full Version:

1.4.8-spring-authorization-server-1.4.10

Dependency Upgrades

Spring Framework 6.2.17
Spring Security (NES) 6.4.13-spring-security-6.4.15

January 2026

1.4.9

Released Jan 28, 2026

Full Version:

1.4.8-spring-authorization-server-1.4.9

Notes

This release originates from the open‑source Spring Authorization Server repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Authorization Server 1.4.8.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team