Update dependency org.springframework.security:spring-security-web to v6 [SECURITY] (3.33)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-web (source)	5.8.16 → 6.0.0

---

Spring Security HTTP Headers Are not Written Under Some Conditions

CVE-2026-22732 / GHSA-mf92-479x-3373

More information

Details

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. 
This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22732
• https://github.com/spring-projects/spring-security
• https://spring.io/security/cve-2026-22732

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

v6.0.0

Compare Source

⏪ Breaking Changes

• CsrfAuthenticationStrategy is not consistent with CsrfFilter #​12235
• Register FilterChainProxy for all dispatcher types #​12180

⭐ New Features

• Add test runtime hints for annotations using @WithSecurityContext #​12215
• Add WebTestUtils test runtime hints #​12216
• Align with Servlet API 6 #​12146
• Document Configure Default SessionAuthenticationStrategy #​12192
• Document DelegatingSecurityContextRepository #​12185
• Improve deprecation notice in WebSecurityConfigurerAdapter #​12262
• Log a warning when AuthorizationGrantType does not exactly match a pre-defined constant #​12234
• Migration guide for the removal of CAS #​12163
• Polish Span and Meter Names #​12225
• Register FilterChainProxy for All Dispatcher Types Migration Steps #​12212
• Restructure 6.0 Migration Guide #​12242
• Support Jakarta WebSocket 2.1 #​12148

🪲 Bug Fixes

• CsrfAuthenticationStrategy does not check for existing token #​12241
• Ensure instrumentation names align with semantic conventions #​12156
• Incorrect scope map fix #​12207
• SAML logout: Incorrect log messages #​12210
• Saml2MetadataFilter response should configure writer to UTF-8 #​12223

🔨 Dependency Upgrades

• Update micrometer-observation to 1.10.1 #​12250
• Update org.springframework to 6.0.0 #​12255
• Update org.springframework.data to 2022.0.0 #​12256
• Update r2dbc-h2 to 1.0.0.RELEASE #​12251
• Update slf4j-api to 2.0.4 #​12254
• Update spring-ldap-core to 3.0.0 #​12257

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jzheaux

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 6.x releases. But if you manually upgrade to 6.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.