TL;DR: As previously mentioned, the May Spring release train has been moved and condensed to June 8-14. The majority of projects within the Spring portfolio will require upgrades for newly released security patches. It is strongly recommended to upgrade as soon as possible to the latest patches. Details about the expected scheduling is available at calendar.cupchino.shop.

Everywhere one looks in 2026, generative AI dominates the news. Across our industry, we are seeing material impacts of generative AI and its ability to accelerate time to market for business capabilities, improve quality by addressing defects faster, and automating non-programming tasks, allowing engineers to focus on where they are most critically needed.

The open-source world is experiencing these new capabilities on two fronts. Not only have we leveraged these new abilities in our own workflows – accelerating the delivery of new capabilities and bug fixes – but we have also felt the impact as our entire community does the same. It’s one thing for a development team of 4-10 engineers to use generative AI to build new features faster. It’s a whole other situation when, for each engineer on the team, there are dozens in our community using generative AI to create issues, pull requests, and security reports. Each person, including us, is at a different stage in learning how to get the best out of these new tools while avoiding “AI slop”.

Security reports represent a key area of increase experienced by us and the entire open-source ecosystem. AI models have drastically reduced the level of skill and knowledge required to identify potential code patterns that could be vulnerabilities as well as become much better at finding issues in the first place. One example of the drastic influx of new, AI-generated security reports is Mozilla’s recent release of 150 fixes for over 270 vulnerabilities due to code scanning done by Anthropic’s new Mythos preview. We have seen FreeBSD, considered one of the most secure operating systems in the industry, find a 20-year-old CVE via AI. These are just a couple of the many examples the open-source community has experienced with this current wave.

Security Reports and Spring

As others have reported, April saw a spike in announced CVEs from Spring when compared to the historic averages. In total we announced 26 new CVEs across the portfolio. What this doesn’t highlight is the equally significant spike in security reports. Compared to historic averages (typically about 6.5 new security reports a month), the incoming rate represents a dramatic spike. March 2026 saw 55 new security reports submitted by the community that resulted in the 26 new CVEs being announced in April.

In April, utilizing new scanning capabilities, we received an unprecedented 482 new security reports across 65 scanned projects. Of those 482 new reports, 370 came from our internal scanning capabilities and 112 came from the community. This means that even without the new scanning, we would still have seen a doubling of community reports compared to our already high number in March. While we clearly had an extreme spike in April’s reports, we do not expect reports to go back down to historic levels for a few months as the influx of AI-based reports continues (May had 72 community reports for example).

It is important to note that not every security report results in a new CVE being issued. The total mentioned above includes many duplicates or invalid findings that get filtered out (37% of internal scanning results were identified as either duplicate or invalid). As noted, we receive many reports from multiple sources, as well as findings that are not actual security concerns for the framework itself. We work directly with the researchers to clarify the scope and impact of every report, resulting in a mutual understanding of how it should be handled.

We highly recommend that all Spring users upgrade to the latest versions that are released in June to address the large number of security vulnerabilities that are being announced. While most CVEs are medium-to-low severity, the sheer volume of this release demands special attention.

VMware Tanzu Spring Can Help

We take the responsibility of securing the world’s most popular application framework for the JVM extremely seriously. Every security report that comes in is triaged and managed by an expert committer on the project it was reported against. The team collaborates with the reporter to fully understand the issue – whether it is an actual concern and the scope of the fix. We also have the reporter validate any fix that we develop to ensure it is correct. This is an exception in the open-source support space. Between January 2024 and September 2025, only 2.6% of vulnerabilities reported to MITRE had a public proof of concept published¹. This limits non-maintainers from being able to validate fixes. As the only provider of first-party support for the Spring portfolio, VMware Tanzu Spring is uniquely positioned to ensure this level of collaboration between the security community and our fixes, allowing us to be the only vendor able to release a fix prior to the public announcement of the CVE.

The rate of change in the Java ecosystem has been consistently accelerating. Java releasing every 6 months is just one example, many projects that Spring Boot depends on release new versions as frequently as every couple months. The impact of AI on security reports and found vulnerabilities will only accelerate the number of releases enterprises need to consume to remain in compliance with various requirements as well as the rate at which they consume them. Tanzu Spring helps with that by automating upgrades to keep you secure and compliant. Application Advisor provides actual code upgrades beyond just Dependabot style dependency upgrades. Integrated into your CI systems, it generates pull requests based on the latest available versions of Spring, keeping you patched and safe.

The Spring team and Tanzu will continue to address any and all security reports that come in through appropriate disclosure measures to keep our customers and community secure. However, these are new times. While we expect this increase in reports to not be a single-month event, we do expect it to reduce as we address what this new type of tooling can identify. We are already seeing a significant increase in duplicates reported from multiple sources, indicating that there is a finite number of findings to be had. Once we address these, while the volume will decrease, we do not expect a return to historic norms for the foreseeable future.

You can find information about any of our security advisories at https://cupchino.shop/security. For more information about our security policy, you can read it here.

We encourage Tanzu Spring customers to take advantage of day 0 access to security patches in the Spring Enterprise Repository, and apply new fixes in line with the regular release cadence. If you require additional assistance applying patching or upgrading versions, Tanzu Spring offers professional services and advanced support.

If you’re unsure whether you have access to the Spring Enterprise Repository or have any questions, don’t hesitate to contact us.

1: https://www.tenable.com/blog/cyber-risk-lurks-in-the-vulnerability-disclosure-gaps