Post cover image

June 7, 2026

Update the Security of your Spring Project Right Now !

While I was on twitter (or X) I came across a tweet that caught my attention by the @springcentral account the official Spring account…

Dev Genj

2 min read

While I was on twitter (or X) I came across a tweet that caught my attention by the @springcentral account the official Spring account. However as of today this post has only 43 likes and around 4k views which is mind blowing because this post is really important especially nowadays where we wake up to new hacks everyday.

Spring and Security in the times of AI

In 2026, generative AI dominates the news across the whole tech industry and rightfully so because it accelerate time to market for business capabilities, improve quality and automating non-programming tasks allowing teams to focus on the most critical things. The Spring Team also recognize that they are using these tools and are at a different stage in learning how to get the best of these new tools while avoiding "AI slop".

Now thanks AI, the level of skill needed to identify potential code patterns that could be vulnerabilities has increased by a lot ! They give the example of FreeBSD, considered one of the most secure OS in the industry to have a 20 years old CVE thanks to AI.

April saw a spike in announced CVEs from Spring that is unprecedent. With people using those new scanning capabilities with AI, they received 482 new security reports across 65 scanned projects. Out of those 482, 370 came from the internal scanning capabilities and 112 from the community. However the total number mentioned includes duplicates or invalid findings. They also announced that most of the CVEs are medium to low severity and relased a patch for this month of June.

None

They highly recommend that all Spring users upgrade to the latest versions released!

Example found (critical): CVE-2026–22732 Spring Security

This security issue is HTTP security headers being silently omitted from responses.

In servlet-based Spring MVC apps, the class OnCommittedResponseWrapper fails to properly override the header methods. When Content-Length is set early by caching layers, proxies or load balancers, the response commits BEFORE Spring can inject critical security headers.

The headers that are silently dropped are:

  • Cache-Control
  • X-Frame-Options
  • X-Content-Type-Options
  • HSTS & CSRF Token

Which is insane because we have no errors shown or logs. The app appears fully functional while losing those critical headers offering hackers open doors to XSS, CSFR and session hijacking. The affected versions are all projects containing Spring Security from version 5.7.x to 7.0.3. The minimum safe versions of Spring Security being 6.5.9, 7.0.4 and Spring Boot version 3.4.15, 3.5.12, 4.0.4

Example of an attack

using 2 CVE's

None

Spring article: Spring and Security In The Times Of AI