Spring Boot 4.0.5 and 4.1.0-M4 Released
March 26, 2026 was a busy day for Spring Boot releases, with two separate releases landing in Maven Central simultaneously: the maintenance patch Spring Boot 4.0.5 and the fourth milestone of the upcoming Spring Boot 4.1.0.
Spring Boot 4.0.5 is a focused patch that delivers 17 bug fixes, documentation improvements, and dependency upgrades. Coming just one week after the security-focused 4.0.4 release which patched two Actuator authentication bypass CVEs, 4.0.5 continues the regular maintenance cadence for the 4.0.x branch. Teams running 4.0.4 in production should plan an upgrade, as the dependency upgrades in 4.0.5 include transitive library refreshes relevant to production deployments.
Spring Boot 4.1.0-M4 is the latest milestone toward the next feature release. The 4.1 line has been building steadily since M1, with M3 introducing AMQP 1.0 specification support and a new Spring Batch MongoDB module. M4 continues this trajectory with additional improvements and bug fixes ahead of the 4.1.0 GA release expected later in 2026. Teams evaluating the upcoming 4.1 feature set can test M4 against their applications using snapshot repositories.
Read more about Spring Boot 4.0.5 — spring.io
Read more about Spring Boot 4.1.0-M4 — spring.io
Spring AI 2.0.0-M4, 1.1.4, and 1.0.5: Security Patches and Anthropic SDK Integration
Spring AI released a coordinated set of updates on March 26, 2026: version 2.0.0-M4 for the development branch, along with maintenance releases 1.1.4 and 1.0.5 for stable lines. Together these releases address four security CVEs and deliver a combined 51 improvements, bug fixes, and documentation updates.
The most significant security fixes in M4 are four CVEs: CVE-2026-22738, CVE-2026-22742, CVE-2026-22743, and CVE-2026-22744. These follow the two CVEs (CVE-2026-22729 and CVE-2026-22730) fixed in the prior M3, 1.1.3, and 1.0.4 releases from March 17. The maintenance releases 1.1.4 and 1.0.5 carry the same security fixes for teams not yet moving to the 2.0 milestone track, making them essential upgrades for any production Spring AI deployment.
On the feature side, Spring AI 2.0.0-M4 completes the integration with the official Anthropic Java SDK, replacing the prior RestClient-based HTTP implementation. This brings Spring AI inline with Anthropic's supported client surface, enabling more reliable handling of streaming responses, better error messages, and access to new API capabilities as they are released. Earlier 2.0 milestones also introduced MCP annotation package renames and a Jackson 2 to Jackson 3 migration — teams upgrading from 1.x should review the upgrade notes carefully before targeting M4.
The Spring AI project is moving toward a 2.0 GA release that will align with Spring Boot 4.1. For teams evaluating AI capabilities in Spring applications, M4 represents a significantly cleaner and more security-hardened checkpoint than prior milestones, making it a reasonable basis for experimentation.
Links & Sources
You May Also Enjoy
