On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.4.10 and 6.5.4.

Spring Security 6.4.10 ships with 4 fixes and several dependency upgrades. This version will be shipped this week with Spring Boot 3.4.10.

Spring Security 6.5.4 ships with 4 fixes and several dependency upgrades. This version will be shipped this week with Spring Boot 3.5.6.

These two releases also address CVE-2025-41248, which was announced in conjunction with CVE-2025-41249.

See Spring Security and Spring Framework Release Fixes for CVE-2025-41248 and CVE-2025-41249 for further…

Five years ago, Spring Security began the journey of modernizing its authorization API. This has paved the way for a number of exciting features like Authorized POJOs, value masking, and, planned for Spring Security 7, Multi-Factor Authentication.

This also deprecated the majority of the Access API. The Access API comprises the family of components in the Spring Security access packages; for example, AccessDecisionManager, AccessDecisionVoter, and FilterSecurityInterceptor. It also includes @EnableGlobalMethodSecurity and other related configuration components.

The numerous benefits to this evolution are detailed on Spring Security's reference guide. It also includes a number of migration hints…

On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.4.9 and 6.5.3.

Spring Security 6.4.9 ships with 5 fixes and several dependency upgrades. This version will be shipped this week with Spring Boot 3.4.9.

Spring Security 6.5.3 ships with 8 fixes and several dependency upgrades. This version will be shipped this week with Spring Boot 3.5.5.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce a new milestone for the next Spring Security generation. We encourage you to review the Spring Security 6 to 7 migration guide to gauge your preparedness for the release. Please also check out the main feature set in our What's New in Spring Security 7 page. Finally, for a detailed view of all changes, please see the Spring Security 7.0.0-M2 release notes.

7.0.0-M2 is now available from Maven Central.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.4.8 and 6.5.2.

Spring Security 6.4.8 ships with 3 fixes and several dependency upgrades. This version will be shipped next week with Spring Boot 3.4.8.

Spring Security 6.5.2 ships with 7 fixes and several dependency upgrades. This version will be shipped next week with Spring Boot 3.5.4.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce a new milestone for the next Spring Security generation. We encourage you to review the Spring Security 6 to 7 migration guide to gauge your preparedness for the release. Please also check out the main feature set in our What's New in Spring Security 7 page. Finally, for a detailed view of all changes, please see the Spring Security 7.0.0-M1 release notes.

7.0.0-M1 is now available from Maven Central.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.3.10.

Please check the changelog for more details.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.4.6.

Please check the changelog for more details. Note that this release contains the fix for CVE-2025-41232.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce the general availability of the final Spring Security 6 minor release, 6.5.0!

To see all the new features, please take a look at What's New in Spring Security 6.5 in the reference.

Also, since this is the target release for migrating from 6.x to 7.x, please also begin reviewing the migration guide.

Please check the release changelog as well as the previous changelogs for 6.5.0-M1, 6.5.0-M2, 6.5.0-M3, and 6.5.0-RC1 for more details.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce the release candidate milestone for the final Spring Security 6 minor release.

Among a number of feature enhancements, there are some that we'd love your attention on as we prepare them for general availability:

Core

• Complete Deprecation of ConfigAttribute, SecurityConfig, and other Access API components.

Specifically, please speak up if you are using any of the ACL Access components that were deprecated.

OAuth 2.0

• Further refinements to DPoP support - #16937, #16921, and #16900

SAML 2.0

• Simplified SAML 2.0 Response validation (docs), Assertion validation (docs), and Authentication conversion (docs)
• A RelayState-based Authentication Request Repository - #14793
…