What Was Announced
Spring Boot 4.0.4 was released on March 19, 2026 and is a patch release for the Spring Boot 4.0.x line. It is the recommended version for all Spring Boot 4.0 users and includes 67 bug fixes, documentation improvements, and dependency upgrades alongside two important security fixes.
Key Features and Changes
CVE-2026-22731 — Authentication Bypass Under Actuator Health Group Paths
This vulnerability allows unauthenticated access to Actuator health group endpoints when Spring Security is configured to protect them. Specifically, when you define a health group (e.g. /actuator/health/liveness) and apply security rules expecting it to be protected, the path matching under certain configurations could be bypassed, exposing health details — and in some setups, sensitive environment information — without credentials.
CVE-2026-22733 — Authentication Bypass Under Actuator CloudFoundry Endpoints
The CloudFoundry-specific Actuator integration (/cloudfoundryapplication/**) had a similar authentication bypass vulnerability. Applications deployed on Cloud Foundry or using the spring-boot-actuator-autoconfigure with CloudFoundry support should treat this as high-priority.
67 Bug Fixes and Dependency Upgrades
Beyond the CVEs, the release includes the usual patch cycle of bug fixes reported since 4.0.3 and updates to transitive dependencies for security hygiene.
Why It Matters for Developers
If your application exposes Actuator endpoints — and most production Spring Boot apps do for health checks, metrics, and readiness probes — this is a mandatory upgrade. Authentication bypass vulnerabilities in health endpoints are particularly dangerous in Kubernetes environments where health paths are often whitelisted from ingress authentication, making them reachable from within the cluster.
The upgrade path from 4.0.3 to 4.0.4 is straightforward: update the spring-boot-starter-parent version in your pom.xml or build.gradle and rerun your test suite. There are no API changes in this patch release.
<!-- Maven -->
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>4.0.4</version>
</parent>
// Gradle (Kotlin DSL)
plugins {
id("org.springframework.boot") version "4.0.4"
}
