On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.5.11, 7.0.6, and 7.1.0.

These releases address the following CVEs:

• CVE-2026-40988 "Unbounded DEFLATE Inflation in SAML 2.0 Service Provider"
• CVE-2026-40993 "Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry"
• CVE-2026-41003 "Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting"
• CVE-2026-41694 "SAML Payloads Decrypted Without Valid Signature"
• CVE-2026-41706 "Open Redirect When Using CookieRequestCache"
• CVE-2026-41008 "Spring Security Authorization Server Open Redirect via request_uri"
• CVE-2026-47838 "Unauthorized User Impersonation when Using X.509 Client Certificates"

For the 7.1.0 release, please check out the main feature set in our What's New in Spring Security 7.1 page.

For a complete list of changes, refer to the changelogs:

• 6.5.11
• 7.0.6
• 7.1.0

Commercial Releases

Open source support for Spring Security 5.7.x, 5.8.x, 6.3.x, and 6.4.x generations has ended, see our support page for more information. Commercial customers can update to 5.7.25, 5.8.27, 6.3.18, 6.4.18, 6.5.10.2, or 7.0.5.1 respectively. These are also included in the latest Boot releases, 2.7.34.1, 3.3.20.1, and 3.4.17.1, as well as Boot hot fixes 3.5.14.2 and 4.0.6.1. These versions are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Project Page | GitHub | Issues | Documentation