Security Advisory

Spring Product Security Update Advisory

• Jun 12 2026

• Security updates have been released to address multiple vulnerabilities in Spring products.
• the affected products are Micrometer, micrometer-core, micrometer-jetty11, micrometer-jetty12, Spring Integration, Spring Security, Spring Web Services, Spring HATEOAS, Spring Data Commons, Spring for GraphQL, Spring Data MongoDB, Spring LDAP, Spring Data REST, Spring for Apache Kafka, and Spring for Apache Pulsar.
• the vulnerabilities addressed include denial of service, arbitrary file write, insecure deserialization, authentication bypass, access control bypass, XSS, XXE, SSRF, SpEL expression injection, and cross-site WebSocket hijacking.
• CVE-2026-40983 is a Denial of Service vulnerability in the Micrometer gRPC server.
• CVE-2026-40984 is a denial of service vulnerability in the Micrometer HTTP server.
• CVE-2026-40987 is an arbitrary file write vulnerability in Spring Integration.
• CVE-2026-40988 and CVE-2026-40993 are denial of service vulnerabilities and insecure deserialization vulnerabilities in Spring Security SAML.
• CVE-2026-40994, CVE-2026-40998, and CVE-2026-40999 are WS-Security validation bypass, XML external object (XXE), and server-side request forgery (SSRF) vulnerabilities in Spring Web Services.
• CVE-2026-41003 is a cross-site scripting (XSS) vulnerability in Spring Security.
• CVE-2026-41006 and CVE-2026-41007 are Access Control Bypass and Denial of Service vulnerabilities in Spring HATEOAS.
• CVE-2026-41695 and CVE-2026-41716 are denial of service vulnerabilities in Spring Data Commons.
• CVE-2026-41699, CVE-2026-41700, and CVE-2026-41856 are insecure deserialization, cross-site WebSocket hijacking, and access control bypass vulnerabilities in Spring for GraphQL.
• CVE-2026-41717 is a SpEL expression injection vulnerability in Spring Data MongoDB.
• CVE-2026-41720 is an authentication bypass vulnerability in Spring LDAP.
• CVE-2026-41728 and CVE-2026-41729 are access control bypass and SpEL expression injection vulnerabilities in Spring Data REST.
• CVE-2026-41731 and CVE-2026-41732 are deserialization vulnerabilities in Spring for Apache Kafka and Spring for Apache Pulsar.
• each product should be updated to the latest version of the known patches.

Tags:

CVE-2026-40983 CVE-2026-40984 CVE-2026-40987 CVE-2026-40988 CVE-2026-40993 CVE-2026-40994 CVE-2026-40998 CVE-2026-40999 CVE-2026-41003 CVE-2026-41006 CVE-2026-41007 CVE-2026-41695 CVE-2026-41699 CVE-2026-41700 CVE-2026-41716 CVE-2026-41717 CVE-2026-41720 CVE-2026-41728 CVE-2026-41729 CVE-2026-41731 CVE-2026-41732 CVE-2026-41856 Spring