Security Advisory

Spring Product Security Update Advisory

  • Jun 16 2026
Spring Product Security Update Advisory

Overview

A security update has been released to address vulnerabilities found in Spring products. Environments using these products must be updated to the latest version with security patches.

Affected Products and Vulnerabilities

  • CVE-2026-41708: Denial-of-Service (DoS) vulnerability in Spring Cloud Sleuth.
    • Affected Versions: 3.1.0 through 3.1.13.
    • Fixed version: 3.1.14.
  • CVE-2026-41838: Predictable session ID vulnerability in the WebSocket module of Spring Framework.
    • Affected versions: 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
    • Fixed versions: 7.0.8, 7.0.7.1, 6.2.19, 6.2.18.1, 6.1.28, 5.3.49.
  • CVE-2026-47825: Untrusted proxy header forwarding vulnerability in Spring Cloud Gateway.
    • Affected versions: 3.1.x, 4.1.x, 4.2.x, 4.3.x, 5.0.x.
    • Fixed versions: 3.1.13, 4.1.13, 4.2.9, 4.3.4.1, 4.3.5, 5.0.1.1, 5.0.2.
  • CVE-2026-47835: Arbitrary query execution vulnerability in Spring AI Vector Store.
    • Affected versions: 1.0.0 or later but earlier than 1.0.9, 1.1.0 or later but earlier than 1.1.8.
    • Fixed versions: 1.0.9, 1.1.8.

Recommended Actions

Updating to the latest Vulnerability Patches released for these vulnerabilities will resolve each issue. The report recommends keeping the product up to date with the latest version, following the instructions provided on the reference site.

Tags:
Previous Post

Next Post