Two Deadlines, One Day
June 30, 2026 carries two deadlines that compound each other. Spring Framework 6.2.x reaches end of open-source support — no more security patches, no more bug fixes, no more community releases. On the same day, the NIS2 directive requires all 'essential' entities across the EU to complete their first formal compliance audit, including documented evidence of vulnerability management and patching processes. An organization running Spring 6.2 on July 1 is simultaneously running an unsupported framework and required to prove it has a security patching strategy.
Spring Framework is the backbone of enterprise Java. Banks, insurance companies, government agencies, healthcare systems, and logistics platforms run on Spring. Spring 6.2.x includes critical security patches for CVE-2026-40987 (arbitrary file write, CVSS 7.1) and CVE-2026-40994 (WS-Security bypass, CVSS 8.2) — both disclosed in June 2026. After June 30, any new Spring vulnerability of similar severity will receive no open-source patch. Organizations must upgrade to Spring 7.0.x or purchase commercial extended support from VMware/HeroDevs.
The Java 21 Requirement
Spring 7.0 requires Java 21 as the minimum runtime — a significant jump from Spring 6.2's Java 17 baseline. Organizations running Spring 6.2 on Java 17 must upgrade both the framework and the JVM simultaneously. This is not a minor version bump. It is a platform migration that touches every deployed service, every CI/CD pipeline, and every container image. For enterprises with hundreds of Spring microservices, the migration is a project measured in months, not days.
Fifteen days is not enough time for most enterprises to complete this migration. The realistic outcomes: some organizations will rush the upgrade and introduce regressions. Some will purchase commercial extended support (buying time, not solving the problem). Some will continue running Spring 6.2 after EOL, accumulating unpatched vulnerabilities in a framework that processes their most sensitive transactions. The last option is the most common — and after June 30, it is also a NIS2 compliance violation.
The Enterprise Framework Lifecycle Problem
Spring's EOL timeline is aggressive but not unusual. Enterprise Java frameworks maintain major versions for 2-3 years. The problem is that enterprise upgrade cycles are 3-5 years. The framework lifecycle is shorter than the organization's ability to consume it. This gap — the time between EOL and actual upgrade — is the window during which organizations run unsupported, unpatched frameworks in production. For Spring 6.2, that window opens on June 30.
Compare this with frameworks that have different lifecycle models. Django maintains each LTS version for 3 years with security patches. Next.js patches are backported to recent majors. Hugo and Astro, as static site generators, have no server-side runtime to patch — the 'framework' runs at build time, not in production. The security maintenance burden is fundamentally different: a Spring application requires ongoing runtime patching in production. An Astro site requires no framework patches after deployment because there is no framework running in production to patch.
What WebPulse Data Shows
WebPulse's framework security scores reflect this lifecycle reality. Spring scores well on features and performance but carries the maintenance burden of a runtime framework with active CVEs. The two June 2026 Spring CVEs (40987 and 40994) affected versions going back to Spring 5.5 — seven years of releases. Organizations that deferred their Spring 5 to Spring 6 migration were exposed for years. Organizations that defer their Spring 6.2 to Spring 7 migration will follow the same pattern. The framework is not the problem. The upgrade velocity is the problem. And June 30 is the day the velocity problem meets a regulatory deadline.
