spring-framework security-patch cve-fix spring-ai dependency-upgrade

Spring ecosystem ships AI 2.0, patches security flaws

Spring AI 2.0 GA deprecates older Gemini models; six frameworks ship critical CVE fixes requiring immediate dependency updates.

Summary

Multiple frameworks expose deserialization and authentication bypasses—Spring HATEOAS, Kafka, and LDAP all ship urgent patches. Spring AI model enum changes break existing code pointing to GEMINI_2_0_FLASH and GEMINI_2_0_FLASH_LIGHT.

Why it matters

Implementation verdict

Upgrade Spring Boot, Spring Security, Spring AMQP, Spring Kafka, and Spring Vault immediately for CVE coverage. Audit Spring AI integration if using older Gemini models; migrate to GEMINI_3_1_PRO_PREVIEW. Spring Data 2026.0.0 adds type-safe property paths and Kotlin 2.3.20 support—worth adopting if targeting those versions. Test Vault's new path-handling abstractions (VaultClient, ReactiveVaultClient) before production migration.

Sources

1.Spring AI 2.0.0 ships with bug fixes, documentation improvements, dependency upgrades
2.deprecations of the GEMINI_2_0_FLASH, GEMINI_2_0_FLASH_LIGHT and GEMINI_3_PRO_PREVIEW enumerations in favor of a new GEMINI_3_1_PRO_PREVIEW enumeration
3.CVE-2026-41006, a vulnerability that exposes a security-sensitive property due to a bypass of the Jackson access-control annotations
4.a vulnerability that allows an attacker to supply their own malicious hypermedia due to an unbounded static cache
5.removal of the wildcard character from all Jackson message converters to "trust no one" by default
6.new VaultClient and ReactiveVaultClient, designed to provide an "intermediate abstraction layer enforcing relative path handling at its core, preventing unintended absolute path usage"

Dev Signal

Get briefs like this in your inbox — free, 3x a week.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs