On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security `6.5.10`, `7.0.5`, and `7.1.0-RC1`.

These releases address the following CVEs:

CVE-2026-22746 "User Attribute Enumeration when Using DaoAuthenticationProvider"
CVE-2026-22747 "Unauthorized User Impersonation when Using X.509 Client Certificates"
CVE-2026-22748 "Potential Security Misconfiguration when Using withIssuerLocation"
CVE-2026-22753 "Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers"
CVE-2026-22754 "Servlet Path Not Correctly Included in Path Matching of XML Authorization Rules"
CVE-2026-22752 "Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata"
CVE-2026-22751 "Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions"

For the `7.1.0-RC1` release, please check out the main feature set in our What's New in Spring Security 7.1 page.

For a complete list of changes, refer to the changelogs:

Open source support for Spring Security 5.7.x, 5.8.x, 6.3.x, and 6.4.x generations has ended, see our support page for more information. Commercial customers can update to `5.7.23`, `5.8.25`, `6.3.16`, or `6.4.16` respectively. These are also included in the latest Boot hot fixes, `2.7.32.2`, `3.3.18.2`, and `3.4.15.2`. These versions are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Project Page | GitHub | Issues | Documentation

Get the Spring newsletter

Stay connected with the Spring newsletter

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

Resources

Governance and Compliance

Modern App Development

Thank You

Apache®, Apache Tomcat®, Apache Kafka®, Apache Cassandra™, and Apache Geode™ are trademarks or registered trademarks of the Apache Software Foundation in the United States and/or other countries. Java™, Java™ SE, Java™ EE, and OpenJDK™ are trademarks of Oracle and/or its affiliates. Kubernetes® is a registered trademark of the Linux Foundation in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Windows® and Microsoft® Azure are registered trademarks of Microsoft Corporation. “AWS” and “Amazon Web Services” are trademarks or registered trademarks of Amazon.com Inc. or its affiliates. All other trademarks and copyrights are property of their respective owners and are only mentioned for informative purposes. Other names may be trademarks of their respective owners.

[](https://www.youtube.com/user/SpringSourceDev)[](https://github.com/spring-projects)[](https://x.com/springcentral)[](https://bsky.app/profile/spring.io)

[](http://spring.io/blog/2026/04/21/spring-security-releases#header)

Cookies

Broadcom and our partners use technology, including cookies to, among other things, operate the site, analyze site usage, view and retain your site interactions, improve your experience and help us advertise. Click “Cookie Settings” to manage your privacy choices. By continuing to use our site, you agree to these data practices as described in ourCookie Notice

Cookies Settings

Privacy Preference Center

### Your Privacy
### Strictly Necessary Cookies
### Functional Cookies
### Performance Cookies
### Targeting Cookies

#### Your Privacy

When you interact with Broadcom as set forth in the Privacy Policy through visiting any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Cookie Policy Privacy Policy

#### Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in Broadcom’s systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

#### Functional Cookies

[x] Functional Cookies

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

#### Performance Cookies

[x] Performance Cookies

These cookies allow Broadcom to count visits and traffic sources so Broadcom can measure and improve the performance of its site. They help Broadcom to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies Broadcom will not know when you have visited our site and will not be able to monitor its performance.

#### Targeting Cookies

[x] Targeting Cookies

These cookies may be set through Broadcom’s site by its advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Cookie List

Consent Leg.Interest

[x] checkbox label label

[x] checkbox label label

[x] checkbox label label

Clear

- [x] checkbox label label

Apply Cancel

Confirm My Choices

Required Only Allow All

![Image 3: Powered by Onetrust](https://www.onetrust.com/products/cookie-consent/)