I've recently come across some serious concerns regarding the vulnerabilities listed as CVE-2026-22729 and CVE-2026-22730 associated with Spring AI. With Spring Boot 3.5 nearing its end of life in June, I'm curious about what this means for developers using these platforms. Specifically, I'm interested in the implications of the CVEs and the upcoming Spring AI 2.0 release, which is still not out yet but is expected around May. How should developers plan for this upgrade with such a tight timeline? Is Spring AI 2.0 more stable than the discussions imply, or should we be preparing for significant challenges?
4 Answers
Before diving in, are you sure these CVEs actually affect you directly? It might depend on how you're using Spring.
It's worth noting that Spring AI 1.x is also hitting EOL in June unless you opt for paid support. But you can start getting familiar with Spring AI 2.0 now since milestone releases are already available. You really just have to decide whether to invest time or money into this.
Honestly, those blog posts don't seem very reliable, so I wouldn't stress too much. From what I've seen, you can still be okay if you prepare for Spring AI 2.0.
I just upgraded to 3.5.11, and now I'm reading about these issues? Ugh, what a mess!
You should be upgrading every six months to stay supported, just a heads-up!