On behalf of the team and everyone who has contributed, I am pleased to announce that the Spring Security 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 versions are available now.

Please refer to the releases page for more detail on what is included in each release.

Those versions fix the following CVE:

• cve-2023-20862: Empty SecurityContext Is Not Properly Saved Upon Logout

The 6.0.3 and 5.7.8 versions will be shipped with Spring Boot 3.0.6 and 2.7.11, to be released next Thursday. In the meantime, you can update your existing Spring Boot application to pick up the latest Spring Security version.

For Gradle builds in build.gradle:

ext['spring-security.version'] = '6.0.3'

Or for Maven builds in pom.xml:

<properties>
  <spring-security.version>6.0.3</spring-security.version>
</properties>

It is also important to remember that the 5.8 version of Spring Security is a special release designed to help you to migrate to Spring Security 6.0, therefore if you are planning to upgrade your applications, using that version combined with the special migration guide makes the migration a lot smoother.

Project Page | GitHub | Issues | Documentation