RepoJournal
Spring

@spring-projects

Spring Framework, Spring Boot, and the JVM enterprise layer

Pick a date

  1. Sat 16 may
  2. Sun 17 may
  3. Mon 18 may
  4. Tue 19 may
  5. Wed 20 may
  6. Thu 21 may
  7. Sat 23 may
  8. Sun 24 may
  9. Mon 25 may
  10. Tue 26 may
  11. Wed 27 may
  12. Thu 28 may
  13. Fri 29 may
  14. Sat 30 may
  15. Sun 31 may
  16. Mon 1 jun
  17. Mon 8 jun
  18. Tue 9 jun
  19. Today 10 jun

The Wire · Showcase

SPRING FRAMEWORK PATCHES 16 CVES, LDAP TIGHTENS PASSWORD VALIDATION

By RepoJournal · Filed · About Spring

Spring Framework 7.0.8 shipped overnight with a massive security update addressing 16 CVEs, while Spring LDAP closed a critical authentication bypass that could accept empty passwords as valid logins.

Spring Framework 7.0.8 [1] is a mandatory upgrade if you're on 7.0.x. The release fixes 16 security vulnerabilities including CVE-2026-41838 (predictable WebSocket session IDs) and CVE-2026-41839, with details in the Spring security blog. Spring LDAP 4.1.0 [2] ships concurrent with a critical fix [3] that rejects empty passwords in DirContextAuthenticationStrategy, closing a vulnerability where LDAP directories accepting unauthenticated binds could report false authentication success. This affects all versions relying on simple bind authentication. Spring Integration 7.0.x and 6.5.x got a lock handling fix [4] that blocks unlock operations until the key is actually removed from the cache, preventing race conditions on interrupted threads. Micrometer 1.17.0 [2] and 1.16.6 [5] maintenance releases landed across LDAP, Pulsar, and Framework with bug fixes for LongTaskTimer ArrayIndexOutOfBoundsException. Spring Tools added more Claude quick fixes [6] for the Code plugin while Framework merged SpEL operation tracking [7] to prevent expression DOS attacks via configurable operation limits.

Action items

References

  1. [1] v7.0.8 ↗ spring-projects/spring-framework
  2. [2] 4.1.0 ↗ spring-projects/spring-ldap
  3. [3] Reject Empty Passwords in DirContextAuthenticationStrategy Implementations spring-projects/spring-ldap
  4. [4] GH-11049: Block unlock until key is removed spring-projects/spring-integration
  5. [5] Bump io.micrometer:micrometer-tracing-bom from 1.6.5 to 1.6.6 ↗ spring-projects/spring-pulsar
  6. [6] Claude more quickfixes ↗ spring-projects/spring-tools
  7. [7] Track operations during SpEL expression evaluation spring-projects/spring-framework

FAQ

What changed in Spring on June 8, 2026?
Spring Framework 7.0.8 shipped overnight with a massive security update addressing 16 CVEs, while Spring LDAP closed a critical authentication bypass that could accept empty passwords as valid logins.
What should Spring teams do about it?
Upgrade Spring Framework to 7.0.8 immediately - 16 CVEs including WebSocket session fixation • Update Spring LDAP to 4.1.0 or apply empty password validation patch to block authentication bypasses • Cherry-pick Spring Integration lock fix to 7.0.x and 6.5.x branches to prevent race conditions
Which Spring repositories shipped on June 8, 2026?
spring-projects/spring-framework, spring-projects/spring-ldap, spring-projects/spring-integration, spring-projects/spring-pulsar, spring-projects/spring-tools

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.