For decades, Spring has provided a dependable development framework for millions of enterprise developers building Java applications. As the stewards of Spring, the Tanzu Division of Broadcom takes our role in the safety and security of the Spring and Java ecosystems seriously. To help address AI-driven developments in the current threat landscape, we’re excited to introduce new, commercial-first CVE-only patches and investments in the Java dependencies for VMware Tanzu Spring customers.
The new normal of AI-fueled security threats
Every organization’s risk profile has genuinely and dramatically changed because of AI-enabled threats. On top of the ongoing exponential increase in the volume of exploits, the patching window has effectively collapsed and AI allows attackers to chain lower severity exploits into serious threats. In this new landscape, long-established security workflows will struggle to keep up with the volume and speed of exploits.
Fig 1: Spring open source community security advisories reported to Broadcom, the steward of Spring.
In April 2026 alone, Broadcom saw a 1766% monthly increase in Spring security advisories from the community. This is not just a moment-in-time concern. Similar to trends seen across the open source software ecosystem, an historically elevated number of Spring community security reports continued into May 2026 and we anticipate this trend to continue.
New CVE-only Spring release process
Malicious actors can now use AI to build effective exploits in hours, rather than days or weeks and an organization’s ability to remediate quickly is critically important. To meet this accelerated threat environment, and uphold our long-standing commitment to the ethical stewardship of Spring, Broadcom invested heavily in its June 2026 release for Spring, resulting in the largest single set of Spring updates to date in our 23 year history. Now, VMware Tanzu Spring customers have access to validated, CVE-only patches so that they can quickly patch and address upgrades at a later date. By delivering these fixes, we enable our customers to take immediate action to strengthen their defenses against emerging threats. Our goal with these ongoing engineering investments is to continue to protect our Spring consumers running in production and prepare them to meet the increased number of security threats in the future.
As always, Broadcom’s Spring team will continue to issue CVEs and patches for all versions of Spring under OSS support. For our Tanzu Spring customers, we also include backporting patches for all supported versions of every Spring project covered by Tanzu Spring enterprise support – including Spring Boot 3.5, which is under enterprise support until 2032.
Securing the Java dependency tree for Spring
Furthermore, Broadcom’s Spring engineering team has significantly scaled its investment in advanced AI-assisted security analysis, including frontier model–based scanning and validation workflows to proactively identify vulnerabilities, assess remediation paths, and validate fixes across the Java dependency tree for Spring. Broadcom announced additional R&D investments to extend its proven clean-room build architecture, foundational to Bitnami, to build the Java dependencies for the entire Spring ecosystem. With this expanded investment in securing the Spring ecosystem and its dependencies, Tanzu Spring customers will have access to:
- Secured, SLSA Level 3–validated software supply chain for Java dependencies.
- Coverage that spans the full transitive dependency graph managed by the Spring Boot bill of materials.
- Thousands of secured dependencies, built and tested across every supported Spring version. Spring Boot 4.0 alone manages 1,768 of them; across the full supported portfolio, that totals more than 100,000 validated dependency builds.
Additionally, as members of the open source community for over two decades, the Spring team has broad relationships across adjacent open source technologies and will continue to collaborate and contribute to these upstream community projects.
Purnima Padmanabhan, GM Tanzu Division, delivers her assessment of the current AI- Fueled security landscape
How Tanzu Spring helps mitigate growing security risks
Tanzu Spring artifacts are accessible to customers through the Spring Enterprise Repository, a more secure, restricted-access, digital vault. By utilizing Tanzu Spring’s private artifact repositories, regulated organizations can reduce risk vectors by utilizing a single, trusted, source for all their artifacts from Broadcom, the maintainer of Spring. In addition to the private repository, Tanzu Spring customers benefit from:
- Certified source for secure Spring libraries
- Commercial-first release of patches for both current and older, enterprise supported versions
- Access to dependent Java binaries
- Automated, deterministic upgrades with Spring Application Advisor
- Exclusive Tanzu Spring components for governance and security
- 24×7 support, hands-on expertise and access to the Spring team
Eliminate “Dependency Debt” with App Advisor
When receiving security patches, the biggest bottleneck in applying emergency security patches is rarely the patch itself—it is the fear of what the patch will break. When applications sit on outdated versions, or older frameworks for years, they accumulate “dependency debt.” When teams continuously align their software versions with current vendor standards, applying a security patch becomes a minor event rather than a high-risk overhaul.
Included as a component of Tanzu Spring, Application Advisor reduces the friction of Spring application modernization. It delivers automated, deterministic recommendations and helps implement changes – from initial portfolio assessments to individual upgrade steps including code, configuration and dependency changes. Leveraging Application Advisor removes the bottleneck to apply emergency patches by streamlining dependency debt. Application Advisor has been shown to reduce the engineering time for upgrades by 70%. Read the case study.
Our commitment to the health and security of Spring
In response to the genuinely dramatic shift in AI-enabled security threats, Broadcom is adapting our Spring engineering process and continuing our investments in the health of the Java and Spring ecosystems. By strengthening the security of the Java dependency tree for Spring and releasing security patches to enterprise customers earlier than ever before, we are enabling Tanzu Spring customers to expedite application remediation with validated patches from the steward of Spring. These engineering investments, combined with a private repository that provides secure provenance and tools like Application Advisor, can help enterprise organizations simplify their security patching process in this new era.
Learn more
Read the Spring team’s blog on Spring and Security in the Times of AI
If you would like to discuss your Spring application security and support approach, please contact us.
