Last checked and updated on 21 May 2026
How Does Spring Security Handle Version Support?
Spring Security is an open-source security framework maintained by Broadcom (formerly VMware Tanzu), serving as the de facto standard for authentication and authorization in Spring-based Java applications. Each minor version receives at least 12 months of OSS support, and each major version line is covered for at least 3 years -- provided you stay on a supported minor.
Support is split into two phases: active OSS support (bug fixes, security patches, dependency updates published freely to Maven Central) and a post-OSS window where only critical security issues may be addressed under commercial enterprise agreements. After both windows close, the branch is officially end-of-life.
| Support Phase | Duration | What You Get |
|---|---|---|
| OSS Support | At least 12 months per minor | Bug fixes, security patches, dependency upgrades -- free via Maven Central |
| Enterprise Support | Extended period via Tanzu Spring subscription | Critical and security-only patches beyond OSS window |
| End of Life | After both phases close | No patches of any kind; upgrade required |
Spring Security's EOL timing is intentionally tied to the broader Spring ecosystem: a branch reaches end-of-life when either its aligned Spring Framework minor or its corresponding Spring Boot minor goes EOL -- whichever applies first. This means staying current with Spring Boot is the most reliable way to stay within a supported Spring Security window. Refer to the release table above for End of OSS support and End of enterprise support dates for each branch.
References: Spring Security official support page -- Spring Security Versions wiki
What Are the Real Risks of Running an Unsupported Spring Security Version?
Running an unsupported Spring Security version means authentication and authorization vulnerabilities -- CVEs in OAuth2 filters, CSRF handling, session management -- will not receive patches from the Spring team.
Spring Security sits at the boundary between your application and every incoming request. A known, unpatched vulnerability in that layer is directly exploitable, not a theoretical concern. Attackers actively scan for applications exposing outdated Spring stacks, and CVE databases publish the exact affected versions.
Beyond active exploits, unsupported branches accumulate dependency drift. Transitive dependencies -- Nimbus JOSE+JWT, Bouncy Castle, Reactor -- continue releasing fixes independently. An EOL Spring Security branch cannot incorporate those updates, leaving your dependency tree increasingly mismatched with the security-patched versions of its own dependencies.
Framework-level risks are also a factor: integrating newer Spring Boot features, migrating to Jakarta EE namespaces, or adopting Spring Authorization Server all require a supported Security version. Staying on an EOL branch gradually closes off upgrade paths elsewhere in your stack.
What Happens After Spring Security OSS Support Ends?
Once OSS support ends, the branch stops receiving public patch releases to Maven Central. No bug fixes, no dependency bumps, no security patches -- the last published artifact is the final one from the open-source team.
The branch is not immediately marked end-of-life. There is a window -- visible in the release table above under End of enterprise support -- where Broadcom's Tanzu Spring commercial subscription covers critical and security-only fixes for paying customers. These patches are distributed through a separate commercial channel, not the public Maven repository.
Once the enterprise window also closes, the version is officially end-of-life. At that point, any CVEs discovered are publicly disclosed with no upstream fix coming from the Spring team for that branch.
Migration Direction
Spring Security versioning is closely aligned with Spring Boot, so the upgrade path is typically straightforward: bump to the current Spring Boot minor and the corresponding Spring Security version follows. The Spring team publishes migration guides for each major version boundary (for example, moving to the 6.x line required adapting to Jakarta EE namespaces and updated method security APIs). For teams on older major lines, upgrading Spring Boot is the recommended starting point -- it pulls the correct Security version transitively and surfaces incompatibilities through Boot's managed dependency BOM.
How To Check Your Spring Security Version
The fastest way is to inspect your build file or the runtime classpath directly.
Maven
mvn dependency:tree | grep spring-security-core
Gradle
./gradlew dependencies --configuration runtimeClasspath | grep spring-security-core
Spring Boot Actuator (runtime)
If the info or env actuator endpoint is enabled, the resolved Spring Security version
appears in the dependency management output. You can also add a quick check in code:
import org.springframework.security.core.SpringSecurityCoreVersion;
System.out.println(SpringSecurityCoreVersion.getVersion());Via Spring Boot BOM
If you are on Spring Boot, the Security version is managed for you. Check the effective BOM version with:
mvn help:effective-pom | grep spring-security
Once you have the version string, cross-reference it with the release table above to confirm whether it falls within the OSS support or enterprise support window -- or is already end-of-life.
FAQ -- Spring Security Support & End of Life
Q1: How long is each Spring Security version supported?
Each minor version of Spring Security receives at least 12 months of OSS support, covering bug fixes, security
patches, and dependency updates. Major version lines are covered for at least 3 years total, but only if you
stay on a supported minor within that line. After OSS support ends, enterprise support extends coverage further
-- exact dates are listed in the release table above.
Q2: Does Spring Security have Long Term Support (LTS) releases?
Spring Security does not publish a separately labeled LTS release the way some runtimes do. Instead, certain
Spring Boot versions -- those designated as LTS within the Spring Boot lifecycle -- carry a longer effective
support window for the entire Spring portfolio, including Security. If you need the longest possible support
window, align your Spring Security version with a Spring Boot LTS release.
Q3: What is the difference between OSS support and enterprise support for Spring Security?
OSS support means patches are published publicly to Maven Central at no cost. Enterprise support, available
through a Broadcom Tanzu Spring commercial subscription, extends patch delivery beyond the OSS window for
critical and security-only fixes. The patches are delivered through a private channel rather than Maven Central.
As shown in the release table above, each branch lists both cutoff dates separately.
Q4: How do I know if my Spring Security version is still supported?
Check the End of OSS support column in the release table above for your branch. If today's date
is past that column, you are outside the free support window. If it also exceeds the End of enterprise
support date, the branch is fully end-of-life. Running mvn dependency:tree or
./gradlew dependencies gives you the exact resolved version to look up.
Q5: What should I do when my Spring Security version reaches end of life?
Upgrade to the current stable Spring Boot release -- Spring Security's version is managed transitively through
the Boot BOM, so updating Boot is the most reliable upgrade path. For major version jumps (for example, crossing
into the 6.x line), review the official Spring Security migration guide for API changes around method security
and Jakarta EE namespaces. In practice, most teams find the Boot-driven upgrade path far smoother than trying to
upgrade Spring Security in isolation.