JEP 531 and JEP 533 Officially Targeted for JDK 27
Two key Java Enhancement Proposals have been elevated from Proposed to Target to Targeted status for JDK 27, confirming their place in the September 2026 general availability release.
JEP 531 — Lazy Constants (Third Preview) refines the lazy value API introduced over the previous two preview cycles. This iteration removes the isInitialized() and orElse() methods from the LazyConstant interface and replaces them with a new ofLazy() factory method that can create stable, pre-defined elements for List, Set, and Map. The removal of isInitialized() signals that the JDK team considers checking initialization state an anti-pattern — callers should always rely on the lazy value being initialized on first access rather than branching on whether it has been computed yet.
JEP 533 — Structured Concurrency (Seventh Preview) continues the progression of an API that lets developers treat groups of related tasks running in different threads as a single unit of work with a shared lifecycle. This seventh preview makes targeted, minor improvements based on feedback from the six previous preview rounds delivered in JDK 21 through JDK 26. The core model — where a StructuredTaskScope governs child threads and can be used to implement short-circuit success or fail-first semantics — remains stable, and the API is expected to be finalized in a near-term release.
JDK 27 is on track for feature freeze in early June 2026 and general availability in September 2026. Early-access builds are available at jdk.java.net/27.
Read more — InfoQ
Quarkus Launches Standalone Agent MCP Server and Patches Critical CVE
The Quarkus team shipped two notable items in the same release window: a new MCP integration for AI agent workflows and emergency security patches across multiple versions.
Quarkus Agent MCP is a new standalone Model Context Protocol server that allows AI agents to interact with Quarkus applications without requiring code changes to the application itself. The MCP server exposes Quarkus application endpoints as callable tools, enabling any MCP-compatible agent — including Claude Code, Cursor, or custom LangChain4j agents — to discover and invoke application functionality. This positions Quarkus as a first-class host for AI-augmented backend automation and opens the door to workflows where coding agents can, for example, trigger test runs, inspect application state, or invoke business operations directly.
CVE-2026-39852 is a high-severity vulnerability affecting Quarkus versions 3.20 through 3.35. The flaw allows a security constraint bypass via URL semicolon injection, where an attacker appends a semicolon and arbitrary path segment to a protected URL to evade authorization checks. The Quarkus team released emergency patches across the affected range; all teams running Quarkus in production should upgrade immediately. The vulnerability affects the HTTP layer's URL normalization handling and does not require authentication to exploit.
Read more — InfoQ
JobRunr 8.6.0 Achieves Full JDK 26 Compatibility; GlassFish 8.0.2 Patches Two CVEs
Two ecosystem maintenance releases rounded out this week's Java news, both improving compatibility and security posture.
JobRunr 8.6.0 declares full compatibility with JDK 26. The most significant internal change is the removal of final field mutations, a practice that was deprecated by JEP 500 in JDK 26 to prevent unsafe reflective writes to final fields. Teams using JobRunr 8.x with JDK 26 will benefit from this alignment without any API surface changes. The release also refactors the getAllTableNames() method to improve database performance on backends with large table counts.
GlassFish 8.0.2, the second maintenance release of the Jakarta EE 10 reference implementation, resolves two undisclosed CVEs in addition to delivering feature improvements. The beanName attribute is now supported in the Jakarta EJB @EJB annotation, enabling injection by bean name alongside the existing by-type injection. Hostname resolution is also improved via an updated isLocal() method. Teams running GlassFish in environments with external-facing Jakarta EE applications should upgrade to take advantage of the security fixes.
Read more — InfoQ
