Spring Framework 6.2.18 and 7.0.7 Security Releases
Spring Framework 6.2.18 and 7.0.7 became available on April 17, 2026, shipping alongside Spring Boot 3.5.14 and 4.0.6 respectively. Version 6.2.18 delivers 27 fixes and documentation improvements, while 7.0.7 provides 52 fixes — a substantial maintenance update reflecting the active community backlog ahead of Spring I/O in Barcelona next month.
The most important changes are three security vulnerabilities addressed across both releases. CVE-2026-22745 affects the FileSystemResource class on Windows platforms, where the isReadable() method could be exploited to traverse paths when serving static resources via Spring MVC or WebFlux. The releases also fix vulnerabilities in multipart handling and resource caching behavior that could expose denial-of-service vectors in WebFlux and MVC implementations under certain configurations.
Teams running Spring Framework 6.2.x or 7.0.x should upgrade promptly given the security nature of these fixes. Versions on the 5.3.x and 6.1.x open-source lines are no longer receiving updates, and commercial customers using Spring Enterprise or Broadcom support have access to backported hotfixes. Projects on Spring Boot can pick up these fixes by bumping to Boot 3.5.14 (for Framework 6.2.x) or Boot 4.0.6 (for Framework 7.0.x) in their build files.
The 7.0.7 release also marks an important inflection point: with 52 fixes in a single patch release, the 7.x line is clearly in a period of active production hardening, which is expected given Spring Boot 4.0 GA reached developers in November 2025 and real-world adoption has been accelerating.
Spring for Apache Kafka 4.1.0-M2
Spring for Apache Kafka 4.1.0-M2 introduces a RENEW acknowledgment type alongside a corresponding renew() method, designed to extend acquisition locks for long-running record processing scenarios. In partition-assignment setups where processing a single record can exceed the lock TTL, the RENEW mechanism allows the consumer to signal ongoing activity and prevent lock expiry without committing the offset — solving a class of "spurious rebalance" bugs in high-latency processing pipelines.
The milestone also delivers enhanced error handling for ShareKafkaMessageListenerContainer, providing both poll-level and listener-level error handling strategies. Share groups, Kafka's consumer group variant introduced in KIP-932, require different error recovery semantics than traditional consumer groups, and this update gives developers explicit control over how exceptions at each processing stage are surfaced, retried, or dead-lettered.
Standard bug fixes and dependency upgrades round out the milestone. As a -M2 release, this is not yet recommended for production, but teams evaluating Kafka share group support in Spring applications should test against this milestone to provide feedback ahead of the GA release. The full Spring Boot 4.1 GA that will ship with Spring Kafka 4.1 is still in milestone phase, with a General Availability date expected later in 2026.
Read more — InfoQ
Links & Sources
You May Also Enjoy
