On behalf of the team and everyone who has contributed, I'm happy to announce that Spring Boot `4.0.6` has been released and is now available from Maven Central.

This release includes 65 bug fixes, documentation improvements, and dependency upgrades. Thanks to all those who have contributed with issue reports and pull requests.

CVE reports

This release addresses the following CVEs:

CVE-2026-40970 "Elasticsearch auto-configuration with an SSL bundle disables TLS hostname verification"
CVE-2026-40971 "RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification"
CVE-2026-40972 "DevTools remote secret comparison is vulnerable to timing attacks"
CVE-2026-40973 "Predictable temp directory accepted without ownership verification"
CVE-2026-40974 "Cassandra SSL auto-configuration disables TLS hostname verification"
CVE-2026-40975 "Random value property source uses a weak PRNG unsuitable for secrets"
CVE-2026-40976 "Default security filter chain has no authorization rule with Actuator but without Health"
CVE-2026-40977 "PID file write follows symlinks at predictable default path"

How can you help?

If you're interested in helping out, check out the "ideal for contribution" tag in the issue repository. If you have general questions, please ask on stackoverflow.com using the `spring-boot` tag.

Project Page | GitHub | Issues | Documentation | Stack Overflow

Get the Spring newsletter

Stay connected with the Spring newsletter

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

Resources

Governance and Compliance

Modern App Development

Thank You

Apache®, Apache Tomcat®, Apache Kafka®, Apache Cassandra™, and Apache Geode™ are trademarks or registered trademarks of the Apache Software Foundation in the United States and/or other countries. Java™, Java™ SE, Java™ EE, and OpenJDK™ are trademarks of Oracle and/or its affiliates. Kubernetes® is a registered trademark of the Linux Foundation in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Windows® and Microsoft® Azure are registered trademarks of Microsoft Corporation. “AWS” and “Amazon Web Services” are trademarks or registered trademarks of Amazon.com Inc. or its affiliates. All other trademarks and copyrights are property of their respective owners and are only mentioned for informative purposes. Other names may be trademarks of their respective owners.

[](https://www.youtube.com/user/SpringSourceDev)[](https://github.com/spring-projects)[](https://x.com/springcentral)[](https://bsky.app/profile/spring.io)

[](http://spring.io/blog/2026/04/23/spring-boot-4-0-6-available-now#header)

Cookies

Broadcom and our partners use technology, including cookies to, among other things, operate the site, analyze site usage, view and retain your site interactions, improve your experience and help us advertise. Click “Cookie Settings” to manage your privacy choices. By continuing to use our site, you agree to these data practices as described in ourCookie Notice

Cookies Settings

Privacy Preference Center

### Your Privacy
### Strictly Necessary Cookies
### Functional Cookies
### Performance Cookies
### Targeting Cookies

#### Your Privacy

When you interact with Broadcom as set forth in the Privacy Policy through visiting any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Cookie Policy Privacy Policy

#### Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in Broadcom’s systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

#### Functional Cookies

[x] Functional Cookies

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

#### Performance Cookies

[x] Performance Cookies

These cookies allow Broadcom to count visits and traffic sources so Broadcom can measure and improve the performance of its site. They help Broadcom to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies Broadcom will not know when you have visited our site and will not be able to monitor its performance.

#### Targeting Cookies

[x] Targeting Cookies

These cookies may be set through Broadcom’s site by its advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Cookie List

Consent Leg.Interest

[x] checkbox label label

[x] checkbox label label

[x] checkbox label label

Clear

- [x] checkbox label label

Apply Cancel

Confirm My Choices

Required Only Allow All

![Image 3: Powered by Onetrust](https://www.onetrust.com/products/cookie-consent/)