Visit NES for Spring Home Page
Spring Security 6.2.x Release Notes
8 versions
Comprehensive release notes and changelog for Spring Security 6.2.x, including security patches, bug fixes, and feature updates across all supported versions.
June 2026
6.2.16
Released Jun 15, 2026 Full Version:
6.2.8-spring-security-6.2.16
Bug Fixes
- Capped the inflated size of compressed SAML 2.0 REDIRECT-binding payloads in
Saml2Utils, preventing an unauthenticated attacker from exhausting server memory (CVE-2026-40988). - Hardened the SAML 2.0 filters to route generated HTML forms through
FormPostRedirectStrategy, preventing arbitrary code execution via attacker-influencedRelyingPartyRegistrationvalues (CVE-2026-41003). - Reworked SAML login and logout validation so signature validation gates decryption, closing a decryption-oracle weakness in the OpenSAML authentication and logout providers (CVE-2026-41694).
- Fixed an open-redirect vulnerability in
CookieRequestCacheandCookieServerRequestCache, which stored and used an unvalidated absolute redirect URL; saved requests now favor relative URIs (CVE-2026-41706). - Tightened Subject DN parsing in the deprecated
SubjectDnX509PrincipalExtractor, preventing a crafted X.509 client certificate from authenticating as another user (CVE-2026-47838).
Dependency Upgrades
- Spring Data BOM (NES)
2023.1.12-spring-data-bom-2023.1.19 - Spring Framework (NES)
6.1.21-spring-framework-6.1.28 - Spring LDAP (NES)
3.2.16-spring-ldap-3.2.21
April 2026
6.2.15
Released Apr 23, 2026 Full Version:
6.2.8-spring-security-6.2.15
Bug Fixes
- Patched the authorization bypass in
DaoAuthenticationProviderwhere timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely onUserDetails#isEnabled,#isAccountNonExpired, or#isAccountNonLocked(CVE-2026-22746). - Patched the weak authentication issue in
NimbusJwtDecoderandNimbusReactiveJwtDecoderwhere JWT token validation is not enforced unless anOAuth2TokenValidator<Jwt>is explicitly configured viasetJwtValidator()(CVE-2026-22748).
Dependency Upgrades
- Spring Data BOM (NES)
2023.1.12-spring-data-bom-2023.1.18 - Spring Framework (NES)
6.1.21-spring-framework-6.1.27 - Spring LDAP (NES)
3.2.16-spring-ldap-3.2.20
March 2026
6.2.14
Released Mar 23, 2026 Full Version:
6.2.8-spring-security-6.2.14
Bug Fixes
- Patched the critical Spring Security vulnerability in
OnCommittedResponseWrapperwhere security headers are silently dropped whenContent-Lengthis set viasetHeader,setIntHeader, oraddIntHeader(CVE-2026-22732).
Dependency Upgrades
- Spring Framework (NES)
6.1.21-spring-framework-6.1.26
October 2025
6.2.13
Released Oct 24, 2025 Full Version:
6.2.8-spring-security-6.2.13
Dependency Upgrades
- Spring Data BOM (NES)
2023.1.12-spring-data-bom-2023.1.16 - Spring Framework (NES)
6.1.21-spring-framework-6.1.25 - Spring LDAP (NES)
3.2.13-spring-ldap-3.2.17
September 2025
6.2.12
Released Sep 23, 2025 Full Version:
6.2.8-spring-security-6.2.12
Dependency Upgrades
- Spring Data BOM (NES)
2023.1.12-spring-data-bom-2023.1.15 - Spring Framework (NES)
6.1.21-spring-framework-6.1.24 - Spring LDAP (NES)
3.2.13-spring-ldap-3.2.16
August 2025
6.2.11
Released Aug 22, 2025 Full Version:
6.2.8-spring-security-6.2.11
Dependency Upgrades
- Spring Framework (NES)
6.1.21-spring-framework-6.1.23
July 2025
6.2.10
Released Jul 15, 2025 Full Version:
6.2.8-spring-security-6.2.10
Dependency Upgrades
- Spring Data BOM (NES)
2023.1.12-spring-data-bom-2023.1.13 - Spring Framework (NES)
6.1.21-spring-framework-6.1.22 - Spring LDAP (NES)
3.2.13-spring-ldap-3.2.14
May 2025
6.2.9
Released May 27, 2025 Full Version:
6.2.8-spring-security-6.2.9
Bug Fixes
- This release patches the following:
- CVE-2025-22234: Maximum password length enforced in the
BCryptPasswordEncoder(patch for CVE-2025-22228) breaks timing attack mitigation in theDaoAuthenticationProvider.org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9
- CVE-2025-22228: Maximum password length is not enforced in
BCryptPasswordEncoderorg.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9
- CVE-2025-22234: Maximum password length enforced in the
Notes
- This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version
6.2.8. - Includes other modifications implemented by HeroDevs to ensure successful library builds.
Full Version:
6.2.8-spring-security-6.2.9
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh