Spring Security 6.2.x Release Notes

7 versions

Comprehensive release notes and changelog for Spring Security 6.2.x, including security patches, bug fixes, and feature updates across all supported versions.

Apr 23, 2026

Latest: 6.2.15

44 Patched Vulnerabilities

VEX Statements

April 2026

6.2.15

Released Apr 23, 2026

CVE-2026-22746

CVE-2026-22748

Full Version:

6.2.8-spring-security-6.2.15

Bug Fixes

Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).
Patched the weak authentication issue in NimbusJwtDecoder and NimbusReactiveJwtDecoder where JWT token validation is not enforced unless an OAuth2TokenValidator<Jwt> is explicitly configured via setJwtValidator() (CVE-2026-22748).

Dependency Upgrades

Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.18
Spring Framework (NES) 6.1.21-spring-framework-6.1.27
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.20

March 2026

6.2.14

Released Mar 23, 2026

CVE-2026-22732

Full Version:

6.2.8-spring-security-6.2.14

Bug Fixes

Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

Spring Framework (NES) 6.1.21-spring-framework-6.1.26

October 2025

6.2.13

Released Oct 24, 2025

Full Version:

6.2.8-spring-security-6.2.13

Dependency Upgrades

Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.16
Spring Framework (NES) 6.1.21-spring-framework-6.1.25
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.17

September 2025

6.2.12

Released Sep 23, 2025

Full Version:

6.2.8-spring-security-6.2.12

Dependency Upgrades

Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.15
Spring Framework (NES) 6.1.21-spring-framework-6.1.24
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.16

August 2025

6.2.11

Released Aug 22, 2025

Full Version:

6.2.8-spring-security-6.2.11

Dependency Upgrades

Spring Framework (NES) 6.1.21-spring-framework-6.1.23

July 2025

6.2.10

Released Jul 15, 2025

Full Version:

6.2.8-spring-security-6.2.10

Dependency Upgrades

Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.13
Spring Framework (NES) 6.1.21-spring-framework-6.1.22
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.14

May 2025

6.2.9

Released May 27, 2025

CVE-2025-22234

CVE-2025-22228

Full Version:

6.2.8-spring-security-6.2.9

Bug Fixes

This release patches the following:
- CVE-2025-22234: Maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-2025-22228) breaks timing attack mitigation in the DaoAuthenticationProvider.
  - org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9
- CVE-2025-22228: Maximum password length is not enforced in BCryptPasswordEncoder
  - org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9

Notes

This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 6.2.8.
Includes other modifications implemented by HeroDevs to ensure successful library builds. Full Version: 6.2.8-spring-security-6.2.9

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team