Visit NES for Spring Home Page
Spring Security 6.3.x Release Notes
3 versions
Comprehensive release notes and changelog for Spring Security 6.3.x, including security patches, bug fixes, and feature updates across all supported versions.
April 2026
6.3.13
Released Apr 23, 2026 Full Version:
6.3.10-spring-security-6.3.13
Bug Fixes
- Patched the authorization bypass in
DaoAuthenticationProviderwhere timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely onUserDetails#isEnabled,#isAccountNonExpired, or#isAccountNonLocked(CVE-2026-22746). - Patched the weak authentication issue in
NimbusJwtDecoderandNimbusReactiveJwtDecoderwhere JWT token validation is not enforced unless anOAuth2TokenValidator<Jwt>is explicitly configured viasetJwtValidator()(CVE-2026-22748).
Dependency Upgrades
- Spring Data BOM (NES)
2024.0.13-spring-data-bom-2024.0.16 - Spring Framework (NES)
6.1.21-spring-framework-6.1.27 - Spring LDAP (NES)
3.2.16-spring-ldap-3.2.20
March 2026
6.3.12
Released Mar 23, 2026 Full Version:
6.3.10-spring-security-6.3.12
Bug Fixes
- Patched the critical Spring Security vulnerability in
OnCommittedResponseWrapperwhere security headers are silently dropped whenContent-Lengthis set viasetHeader,setIntHeader, oraddIntHeader(CVE-2026-22732).
Dependency Upgrades
- Spring Framework (NES)
6.1.21-spring-framework-6.1.26
December 2025
6.3.11
Released Dec 10, 2025 Full Version:
6.3.10-spring-security-6.3.11
Notes
- This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security
6.3.10.
Dependency Upgrades
- Spring Data BOM (NES)
2024.0.13-spring-data-bom-2024.0.14 - Spring Framework (NES)
6.1.21-spring-framework-6.1.25Full Version:6.3.10-spring-security-6.3.11
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh