Broadcom announces the largest series of Spring security updates in the framework’s 23-year history. The Tanzu division is responding to an explosive increase in AI-discovered vulnerabilities, offering Tanzu Spring customers day-zero access to CVE-only patches, and introducing an SLSA Level 3-certified software supply chain for the entire Java ecosystem.
The reason is an explosive increase in AI-discovered vulnerabilities: the number of monthly security advisories rose by more than 1,700 percent from March to April 2026. Purnima Padmanabhan, VP and General Manager of the Tanzu Division at Broadcom, states: “Spring is one of the most widely adopted application development frameworks in the world, and as its steward, we have a deep responsibility for its security.”
The Spring framework powers applications at more than half of the Fortune 500 companies. A recent vulnerability, such as CVE-2026-22737, a path traversal bug in multiple Spring Framework versions, demonstrates just how acute the threat is. Broadcom also extended its clean-room build architecture, the foundation of Bitnami, to all Java dependencies within the Spring ecosystem.
Day-zero patches and supply chain security
Tanzu Spring customers will now receive day-zero access to validated CVE-only patches via the Spring Enterprise Repository, even before they are released to open source. CVE-only patches isolate the security patch from other changes, enabling faster remediation and reducing the exposure window.
Customers also gain access to an SLSA Level 3-certified software supply chain for Java dependencies. Spring Boot 4.0 alone manages 1,768 dependencies; across the entire supported portfolio, that amounts to more than 100,000 validated dependency builds. Spring Framework 6.2 and Spring Boot 3.5 will reach end-of-life on June 30, 2026, making the timing of these updates particularly relevant.
Tip: Broadcom brings secure AI agent environment to VMware Tanzu