I've been reading about the recent Spring AI CVEs (CVE-2026-22729 and CVE-2026-22730) and I'm feeling a bit uneasy about the timing. With the end of life for Spring Boot 3.5 approaching in June and the upgrade path to Spring AI 2.0 (which isn't released yet but is expected in May), I'm worried about meeting the deadline. That leaves us with only about a month to evaluate everything, update code, run tests, and deploy. I'm surprised that there isn't more buzz about this situation. Is there more readiness for Spring AI 2.0 than the blogs suggest? What are your thoughts on managing this transition?
4 Answers
Wow, I just upgraded to 3.5.11 myself! But remember, you’ll need to keep upgrading every six months to stay supported. It’s just the nature of keeping up with evolving tech. The good news is, there's a good chance you've set yourself up for a smoother transition since you're already on a stable version!
I totally get your concerns, but consider moving to Spring Boot 4.x now and trying out Spring AI 2.0.0-M3; the release candidate is expected soon, and the general availability is right around the corner. The Spring team has been proactive, so keeping up to date is the best defense against vulnerabilities!
Don't forget that Spring AI 1.x also reaches its end of life in June unless you have a support plan. You can start preparing for Spring AI 2.0 and Spring Boot 4 even now since there are milestone releases already out. It's about making a choice between investing time to upgrade or paying for support if you want to avoid risks.
Honestly, I think you'll be fine. The blog posts you've read might not be the best sources. Just make sure you assess whether your project is actually affected by those CVEs. It's all about risk management!
Exactly! Staying on top of upgrades is key, especially with how frequently updates are coming out.