Spring Boot 3.4.x Release Notes

3 versions

Comprehensive release notes and changelog for Spring Boot 3.4.x, including security patches, bug fixes, and feature updates across all supported versions.

Mar 25, 2026

Latest: 3.4.16

14 Patched Vulnerabilities

VEX Statements

March 2026

3.4.16

Released Mar 25, 2026

CVE-2026-22731

CVE-2026-22733

Full Version:

3.4.13-spring-boot-3.4.16

Bug Fixes

Patched Authentication Bypass under Actuator Health groups paths vulnerability (CVE-2026-22731).
Patched Authentication Bypass under Actuator CloudFoundry endpoints vulnerability (CVE-2026-22733).

Dependency Upgrades

Glassfish JAXB 4.0.7
Hibernate 6.6.45.Final
Jackson Bom 2.18.6
Jakarta XML WS 4.0.3
JBoss Logging 3.6.3.Final
Jetty 12.0.33
Lombok 1.18.44
Maven Failsafe Plugin 3.5.5
Maven Shade Plugin 3.6.2
Maven Surefire Plugin 3.5.5
Reactor Bom 2024.0.16
Spring Authorization Server (NES) 1.4.8-spring-authorization-server-1.4.10
Spring Batch (NES) 5.2.4-spring-batch-5.2.6
Spring Data BOM (NES) 2024.1.13-spring-data-bom-2024.1.15
Spring Framework 6.2.17
Spring GraphQL (NES) 1.3.7-spring-graphql-1.3.9
Spring HATEOAS (NES) 2.4.1-spring-hateoas-2.4.3
Spring Integration (NES) 6.4.10-spring-integration-6.4.12
Spring Kafka 3.3.14
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.19
Spring Pulsar 1.2.16
Spring Security (NES) 6.4.13-spring-security-6.4.15
Spring Session (NES) 3.4.7-spring-session-3.4.9
Spring Web Services (NES) 4.0.17-spring-ws-4.0.19
Undertow 2.3.24.Final

February 2026

3.4.15

Released Feb 25, 2026

Full Version:

3.4.13-spring-boot-3.4.15

Bug Fixes

Fixed TLSv1.3 cipher configuration being silently ignored after Tomcat 10.1.52 upgrade. Applications that configured TLSv1.3 ciphers via server.ssl.ciphers or via options.ciphers in an SSL Bundle would have those ciphers silently dropped, falling back to all default ciphers.
- See our blog post for details: Silent TLS Cipher Downgrade in Spring Boot.

Dependency Upgrades

Hibernate 6.6.42.Final
Infinispan 15.0.22.Final
JBoss Logging 3.6.2.Final
Jakarta XML Bind 4.0.5
Jetty 12.0.32
Logback 1.5.32
MySQL 9.6.0
Netty 4.1.131.Final
Postgresql 42.7.10
Reactor Bom 2024.0.15
Spring AMQP 3.2.9
Spring Framework 6.2.16
Spring Kafka 3.3.13
Spring Pulsar 1.2.15
Tomcat 10.1.52
Undertow 2.3.23.Final
jOOQ 3.19.30

January 2026

3.4.14

Released Jan 28, 2026

Full Version:

3.4.13-spring-boot-3.4.14

Notes

This release originates from the open‑source Spring Boot repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Boot 3.4.13.

Dependency Upgrades

Spring AMQP (NES) 3.2.8-spring-amqp-3.2.9
Spring Authorization Server (NES) 1.4.8-spring-authorization-server-1.4.9
Spring Batch (NES) 5.2.4-spring-batch-5.2.5
Spring Data BOM (NES) 2024.1.13-spring-data-bom-2024.1.14
Spring HATEOAS (NES) 2.4.1-spring-hateoas-2.4.2
Spring Integration (NES) 6.4.10-spring-integration-6.4.11
Spring Kafka (NES) 3.3.11-spring-kafka-3.3.12
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.18
Spring Pulsar (NES) 1.2.13-spring-pulsar-1.2.14
Spring Security (NES) 6.4.13-spring-security-6.4.14
Spring Session (NES) 3.4.7-spring-session-3.4.8
Spring Web Services (NES) 4.0.17-spring-ws-4.0.18

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team