Spring Security 6.4.x Release Notes

3 versions

Comprehensive release notes and changelog for Spring Security 6.4.x, including security patches, bug fixes, and feature updates across all supported versions.

Apr 23, 2026

Latest: 6.4.16

44 Patched Vulnerabilities

VEX Statements

April 2026

6.4.16

Released Apr 23, 2026

CVE-2026-22746

CVE-2026-22748

CVE-2026-22751

Full Version:

6.4.13-spring-security-6.4.16

Bug Fixes

Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).
Patched the weak authentication issue in NimbusJwtDecoder and NimbusReactiveJwtDecoder where JWT token validation is not enforced unless an OAuth2TokenValidator<Jwt> is explicitly configured via setJwtValidator() (CVE-2026-22748).
Patched the authorization bypass in JdbcOneTimeTokenService where a time-of-check time-of-use race condition allowed concurrent one-time token login requests to bypass the single-use constraint (CVE-2026-22751).

Dependency Upgrades

Spring Data BOM (NES) 2024.1.13-spring-data-bom-2024.1.16
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.20

March 2026

6.4.15

Released Mar 23, 2026

CVE-2026-22732

Full Version:

6.4.13-spring-security-6.4.15

Bug Fixes

Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

Spring Framework 6.2.17
Spring Data BOM (NES) 2024.1.13-spring-data-bom-2024.1.14
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.18

January 2026

6.4.14

Released Jan 28, 2026

Full Version:

6.4.13-spring-security-6.4.14

Notes

This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security 6.4.13.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team