Spring Blog

Spring LDAP 2026.06 Releases - Contains CVE Fix

Releases | Josh Cummings | June 08, 2026 | 1 min read | ...

On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring LDAP 3.3.8, 4.0.4, and 4.1.0.

These releases address the following CVE:

  • CVE-2026-41720 "Authentication Bypass with Empty Password in Spring LDAP"

For the 4.1.0 release, please check out the main feature set in our What's New in Spring LDAP 4.1 page.

For a complete list of changes, refer to the changelogs:

Commercial Releases

Open source support for Spring LDAP 2.4.x and 3.2.x generations has ended, see our support page for more information. Commercial customers can update to 2.4.5, 3.2.18, 3.3.7.1, or 4.0.3.1 respectively. These are also included in the latest Boot releases, 2.7.34, 3.3.20, and 3.4.17, as well as Boot hot fixes 3.5.14.1 and 4.0.6.1. These versions are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Project Page | GitHub | Issues | Documentation

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all