On behalf of the team and everyone who has contributed, I'm happy to announce that Spring Boot 3.5.14 has been released and is now available from Maven Central.

This release includes 48 bug fixes, documentation improvements, and dependency upgrades. Thanks to all those who have contributed with issue reports and pull requests.

CVE reports

This release addresses the following CVEs:

• CVE-2026-40971 "RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification"
• CVE-2026-40972 "DevTools remote secret comparison is vulnerable to timing attacks"
• CVE-2026-40973 "Predictable temp directory accepted without ownership verification"
• CVE-2026-40974 "Cassandra SSL auto-configuration disables TLS hostname verification"
• CVE-2026-40975 "Random value property source uses a weak PRNG unsuitable for secrets"
• CVE-2026-40977 "PID file write follows symlinks at predictable default path"

How can you help?

If you're interested in helping out, check out the "ideal for contribution" tag in the issue repository. If you have general questions, please ask on stackoverflow.com using the spring-boot tag.

Project Page | GitHub | Issues | Documentation | Stack Overflow