Spring v7.0.8 Release Notes
Release Date: 2026-06-08 // 4 days ago-
🔒 ⚠️ Security Fixes
This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:
- 🔒 CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
- 🔒 CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
- 🔒 CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
- 🔒 CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
- 🔒 CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
- 🔒 CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
- 🔒 CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
- 🔒 CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
- 🔒 CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
- 🔒 CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
- 🔒 CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
- 🔒 CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
- 🔒 CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
- 🔒 CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
- 🔒 CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
- 🔒 CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"
⭐ New Features
- Include zone ID in CronTrigger's equals/hashCode implementations #36871
- 🔦 Expose
ClassLoaderfromDefaultDeserializer#36833 - 0️⃣ Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
- Track operations during SpEL expression evaluation #36801
- Ensure getters have non-void return types in SpEL #36800
- Avoid too many character access attempts in
AntPathMatcher#36799 - 0️⃣ Refine default view name resolution #36793
- Refine Jackson JMS converters #36791
- 👌 Improve ABNF rule checks in RfcUriParser #36787
- Restrict
SpringVersion.getVersion()to "major.minor.patch" format #36785 - ⚙ Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
- 👍 Allow specifying the charset to use in
ExchangeFilterFunctions#basicAuthentication#36777 - 0️⃣ Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
- 👌 Improve error messages in SpEL #36756
- 👌 Improve pattern caching in SpEL #36755
- Avoid ResolvableType#forType contention for implicit cache cleanup #36745
- Switch to JdkIdGenerator for WebSocket Sessions #36740
- Detect custom deserialized
NullValueinstances inAbstractValueAdaptingCache#36727 - LiteWebJarsResourceResolver does not resolve directories #36726
- Warn against unsafe static resource locations in MVC and WebFlux #36692
- Consistent compatibility with Woodstox as an alternative to Xerces #36682
- 👌 Improve principal checks for SockJS session #36681
- Set host header consistently in STOMP relay CONNECT frames #36673
- 👌 Support Micrometer context propagation in Kotlin
Flow#36667 - Reliable detection of broadcast messages in UserDestinationMessageHandler #36662
🛠 🐞 Bug Fixes
- Concurrency issue against shared cookie field in
CookieLocaleResolver#setLocaleContext#36869 - 👍 Server Sent Event does not support multi-line comments #36866
- CronExpression skips days on midnight DST gap #36865
- 🔧 Regression in 6.2.0+:
ConfigurationClassParserincorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36835 - Preserve generic type info in awaitEntity() #36834
- Bean Background Bootstrap and Lazy Init #36844
- 0️⃣ Back-off for DefaultMessageListenerContainer with OracleAQ has changed and is very short in SpringBoot 4 #36809
- Character outside of permitted range in Content Disposition #36805
- 🛠 Fix JSP tag processing #36797
- 🛠 Fix script processing capabilities #36795
- Jaxb2XmlEncoder exclusivity prevents JacksonXmlEncoder usage and hinders POJO serialization #36776
- JacksonXmlEncoder.canEncode incorrectly returns true for String body with application/xml #36775
- Consistently expose map key quotes in
PropertyAccessorUtils#36765 - 🛠 Fix fragment parsing for relative URI in RFC URI parser #36762
- 🛠 Fix race condition in InMemoryWebSessionStore #36742
- 📜 Parsing failure for MIME type with quoted parameter values #36730
- Circular dependency between supplier-created beans is silently ignored on startup #36725
- Data is lost for joined DataBuffer in DataBufferUtils #36714
- Cache collisions in CachingResourceResolver #36713
- Unexpected path element removal when resolving versioned resources #36698
- Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36694
- Regression on value class parameter handling #36665
- 🛠 Fix inverted logic for boolean last flag in JettyWebSocketSession when sending binary message #36650
- Parent traceId is not reused when calling WebClient.awaitExchange function #36182
📚 📔 Documentation
- 🛠 Fix broken links to Selenium documentation #36875
- 🛠 Fix applicability note on setAutoGrowCollectionLimit #36863
- 🔧 Document
@Conditionalgating of nested@Configurationclasses #36831 - Javadoc of nestingLevel parameter in MethodParameter constructor is inconsistent with actual implementation #36826
- Re-structuring of Data Binding C...
Previous changes from v7.0.7
-
⭐ New Features
- 👌 Improve
SpringValidatorAdapterandMethodValidationAdapterperformance #36621 - 👌 Support JSON array decoding to
FluxinKotlinSerializationJsonDecoder#36597 - 🗄 Deprecate
methodIdentification()inCacheAspectSupportfor removal #36575 - ➕ Add MockRestServiceServer#createServer variant for RestClient #36572
- Create RestClientXhrTransport variant replacing RestTemplateXhrTransport #36566
- 👌 Improve error handling in multipart codecs #36563
- 👉 Make
ApplicationListenerMethodAdapter#getTargetMethod()public #36558 - 👍 ApiVersionConfigurer.setSupportedVersionPredicate() returns void instead of ApiVersionConfigurer #36551
- LazyConnectionDataSourceProxy does not work well with Hibernate's multi-tenancy by schema strategy #36527
- ➕ Add registerManagedResource variant with bean key argument to MBeanExporter #36520
- 🖐 Handle blank Accept-Language header in AcceptHeaderLocaleResolver #36513
- 👉 Make AbstractStreamingClientHttpRequest and AbstractBufferingClientHttpRequest public #36501
- MySQL Error 149 (Galera/WSREP conflict) not translated to ConcurrencyFailureException in Spring JDBC/ORM #36499
- ➕ Add PreFlightRequestFilter #36482
- 👌 Support configuration of extension context scope for
SpringExtensionvia Spring or JUnit properties #36460 - 🌲 Lower log level of "Cache miss for REQUEST dispatch" in HandlerMappingIntrospector #36309
🛠 🐞 Bug Fixes
- 🛠 WebDataBinder unnecessarily instantiates collections when using the "!" and "_" prefixes #36625
- 0️⃣ Cache pollution from high-cardinality FieldError default messages in MessageSourceSupport #36609
- 🔀
MergedAnnotationdoes not useClassLoaderfor method or field #36606 @Sqlfails ifDataSourceis wrapped in aTransactionAwareDataSourceProxy#36611- 📇
AnnotatedTypeMetadatano longer retains source declaration order on Java 24+ #36598 - 🔀
MergedAnnotation.asMap()fails when an attribute references a non-existent class #36586 FileSystemResourcedoes not strictly follow theResource#isReadable()contract #36584- 0️⃣ Converter overrides in HttpMessageConverters only apply when defaults are registered #36579
- 📇 Invalid method return type metadata for ClassFile variant on JDK 24+ #36577
- 🛠 Fix Writer lifecycle for
AbstractJsonHttpMessageConverter.writeInternal(Object, Type, Writer)#36565 - Flushing-related regression in
SseServerResponse#36537 - LazyConnectionDataSourceProxy does not pass on holdability to target Connection #36528
AnnotationBeanNameGeneratorfails when an annotation references a non-existent class #36524- 0️⃣ Perserve default API version in RestClientAdapter #36514
- Inconsistent codings resolution in resource resolvers #36507
- 0️⃣
DefaultJmsListenerContainermay hang in an endless loop indoShutdown#36506 - 0️⃣ Query not hidden in DefaultClientResponse checkpoint #36502
- 👀 RestClient closes stream for ResponseEntity responses #36492
- IllegalStateException when using websocket handshake headers with Tomcat #36486
- Invalid nullness information for ParameterizedTypeReference #36477
- ✅ WebTestClient cannot assert null list elements #36476
- 🖐 Handle Kotlin nullable value class param correctly in
CoroutineUtils#36449 - ✂ Remove RFC 2047 encoding from Content-Disposition filename #36328
- Parent traceId is not reused when calling WebClient.awaitExchange function #36182
📚 📔 Documentation
- Clarify semantics of HttpMethod.valueOf() #36652
- Document whitespace semantics in SpEL expressions #36628
- Document that
spring.profiles.activeis ignored by@ActiveProfiles#36600 - 🔀
MergedAnnotation.asAnnotationAttributes()Javadoc incorrectly states that it creates an immutable map #36567 - 🛠 Fix incorrect Javadoc in HandlerMethodReturnValueHandlerComposite regarding caching #36555
- 🛠 Fix incorrect method name in
TypeDescriptor.array()Javadoc #36549 - 🤡 Introduce Kotlin examples for Bean Overrides (
@MockitoBean, etc.) #36541 - 🛠 Fix incorrect cross-reference links in AbstractEnvironment Javadoc #36516
- Document RetryTemplate#invoke variants in reference manual #36452
- 🔗 Link observability section to Micrometer Observation Handler docs #34994
⬆️ 🔨 Dependency Upgrades
❤️ Contributors
🚀 Thank you to all the contributors who worked on this release:
@Mohak-Nagaraju, @Sineaggi, @T45K, @angry-2k, @bebeis, @cookie-meringue, @dmitrysulman, @elgunshukurov, @itsmevichu, @junhyung8795, @msridhar, @nameearly, @tobifasc, and @xxxxxxjun
- 👌 Improve