On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.5.10, 7.0.5, and 7.1.0-RC1.

These releases address the following CVEs:

  • CVE-2026-22746 "User Attribute Enumeration when Using DaoAuthenticationProvider"
  • CVE-2026-22747 "Unauthorized User Impersonation when Using X.509 Client Certificates"
  • CVE-2026-22748 "Potential Security Misconfiguration when Using withIssuerLocation"
  • CVE-2026-22753 "Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers"
  • CVE-2026-22754 "Servlet Path Not Correctly Included in Path Matching of XML Authorization Rules"
  • CVE-2026-22752 "Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata"
  • CVE-2026-22751 "Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions"

For the 7.1.0-RC1 release, please check out the main feature set in our What's New in Spring Security 7.1 page.

For a complete list of changes, refer to the changelogs:

Open source support for Spring Security 5.7.x, 5.8.x, 6.3.x, and 6.4.x generations has ended, see our support page for more information. Commercial customers can update to 5.7.23, 5.8.25, 6.3.16, or 6.4.16 respectively. These are also included in the latest Boot hot fixes, 2.7.32.2, 3.3.18.2, and 3.4.15.2. These versions are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Project Page | GitHub | Issues | Documentation