View all Blog Posts
Security
Mar 18, 2026

CVE-2026-22729, CVE-2026-22730 and the Spring Boot 3.5 EOL Crunch Facing Spring AI Teams

The Spring AI 2.0 Upgrade Dilemma and the Looming Security Risk.

Give me the TL;DR
CVE-2026-22729, CVE-2026-22730 and the Spring Boot 3.5 EOL Crunch Facing Spring AI Teams
For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software:   Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.

The short version: If you're building AI features with Spring today, you're almost certainly on a path toward an end-of-life problem. Not because the OSS Spring team isn't shipping — they absolutely are. But the timing of where Spring AI sits in the release cycle means a lot of teams are going to find themselves in a tighter window than they realize.

Here's what's happening.

Spring AI 1.x Runs on Spring Boot 3.5 — Which Goes EOL in June 2026

Spring AI 1.0 and 1.1 are the current releases. They both target Spring Boot 3.5. Spring AI tracks Boot closely, and the Spring team does excellent work keeping the ecosystem together.

The issue is that Spring Boot 3.5, Spring AI 1.0 and Spring AI 1.1 all reach end-of-life in June 2026. After that date, Spring Boot 3.5 and Spring AI 1.x will no longer receive OSS updates, bug fixes, or security patches from the community. Vulnerabilities will go unaddressed. That's not a knock on the project — it's just how open source support lifecycles work. Resources flow toward the current and next versions, not the previous ones.

So if you're running Spring AI today, your underlying runtime platform has a known expiration date about three months away.

Keep Current on Spring AI 2.0 — Which Isn't Released Yet

The natural upgrade path is clear: move to Spring AI 2.0, which targets Spring Boot 4. Spring Boot 4 will be actively supported in OSS and you're back on solid ground.

The problem is that Spring AI 2.0 hasn't shipped yet.

Looking at the Spring AI 2.0.0 milestone on GitHub, the release will target Spring Boot 4 compatibility, with major changes included. As of now, the milestone is still open. Estimates put the release somewhere in the May 2026 timeframe — which is plausible, but not guaranteed.

Do the math: if Spring AI 2.0 ships in May and Spring Boot 3.5 goes EOL in June, teams have roughly one month to evaluate a release that includes a major API redesign, update their codebases, test their AI integrations, and ship to production.

For simple applications, that's tight. For enterprise teams with approval processes, compliance reviews, or complex AI pipelines, one month is basically not enough time.

Recent High Severity CVEs Illustrate the Stakes

Two high severity vulnerabilities that landed recently — CVE-2026-22729 and CVE-2026-22730 — are worth paying attention to, not because they represent an unusual emergency, but because they illustrate exactly what the EOL situation means in practice.

Both have been patched in current OSS releases in the Spring AI 1.0.4 and 1.1.3 versions. If you're current, you can update and move on.

That's the OSS model working exactly as intended. The Spring security team identified issues, patched them, and shipped fixes. If you're keeping up with releases, you're protected.

The harder question is: what happens to teams running on versions that fall outside the supported window? After June 2026, Spring AI 1.0, Spring AI 1.1, and Spring Boot 3.5 all enter that unsupported zone. New CVEs will be fixed in upstream releases — but not backported to EOL versions. Your scanners will flag findings. Your security team will ask questions. And the answer "we know, we're working on the upgrade" has a shelf life.

We're not raising CVE-2026-22729 and CVE-2026-22730 as scare tactics. The good news is that right now, both are fixed, and if you're current you're protected. We're raising them because they're a preview of the environment your team will be operating in once the EOL date passes and patches stop coming. It’s a compressed timeline and you should be ready to upgrade quickly or make plans to give yourself more time.

HeroDevs NES for Spring: More Time to Migrate Safely

This is exactly the problem HeroDevs Never-Ending Support (NES) is designed to solve.

HeroDevs will have full NES coverage for Spring Boot 3.5 and all related projects, which includes Spring AI 1.0 and Spring AI 1.1 support. When those OSS end-of-life dates hit in June 2026, NES picks up where the community leaves off — providing security patches, CVE remediation, and continued support for teams that aren't yet ready to make the jump to Spring Boot 4 and Spring AI 2.0.

The goal isn't to let teams defer upgrades indefinitely. It's to give them a safe, supported bridge that decouples "our platform support expires" from "we must rush a major migration." With NES in place:

  • Your current Spring AI 1.1 deployment stays covered after June 2026
  • Your security and compliance posture doesn't deteriorate while you migrate
  • You can plan and execute the Spring AI 2.0 upgrade on a timeline that fits your team — not one dictated by an expiration date

Learn more about HeroDevs NES for Spring.

The Bottom Line

The Spring AI ecosystem is healthy and moving fast. The Spring team will ship 2.0, and it's going to be a strong release. The EOL situation with Spring Boot 3.5 isn't a crisis — it's a known constraint with a known resolution path.

The constraint is time. If your organization can absorb a major API migration in the month between Spring AI 2.0's release and Spring Boot 3.5's EOL date, great — get started now and be ready to move fast when 2.0 ships.

If that timeline doesn't fit your reality, NES for Spring gives you the breathing room to do this upgrade right.

Either way, now is the time to be thinking about it.

Share via:
facebook
LinkedIn
X (twitter)
Table of Contents
Read full article
Author
HeroDevs
Thought Leadership
Open Source Insights Delivered Monthly

Related Blog Posts

HeroDevs Announces Never-Ending-Support (NES) for Angular 19
Products
Mar 18, 2026
HeroDevs Announces Never-Ending-Support (NES) for Angular 19
Ensuring Security and Compliance for End-of-Life Angular 19 Applications
TinyMCE 6 End of Life: Unpatched XSS Vulnerabilities and What to Do Now
Security
Mar 18, 2026
TinyMCE 6 End of Life: Unpatched XSS Vulnerabilities and What to Do Now
TinyMCE 6 has reached end of life, leaving applications exposed to unpatched XSS vulnerabilities—here’s what that means and how to respond.
You're Not Just Running Java 8. You're Running an Entire EOL Stack.
Security
Mar 18, 2026
You're Not Just Running Java 8. You're Running an Entire EOL Stack.
You're Not Just Running Java 8. You're Running an Entire EOL Stack. | HeroDevs

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.