fix(deps): update dependency org.springframework.boot:spring-boot-starter-actuator to v3.5.12 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.boot:spring-boot-starter-actuator (source)	3.5.6 → 3.5.12
org.springframework.boot:spring-boot-starter-actuator (source)	3.5.5 → 3.5.12

GitHub Vulnerability Alerts

CVE-2026-22731

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.
This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.
This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

CVE-2026-22733

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

---

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-actuator)

v3.5.12

v3.5.11

Compare Source

🐞 Bug Fixes

• Whitespace can be incorrectly removed when spring-boot-configuration-processor runs on multi-line javadoc #​49039
• server.jetty.threads.max is ignored when using virtual threads #​48982
• Docker credential helpers with file extensions cannot be executed on Windows #​48965

📔 Documentation

• Couchbase and Kafka are incorrectly listed as supporting SSL with Docker Compose #​49211
• Document that use of non idiomatic format for '@Value' still apply for environment variables #​49054
• Document naming convention for custom test-scoped starters #​49014
• LICENSE.txt and NOTICE.txt files have the wrong content in the latest releases #​48996
• ApplicationContextAssert documents a non-existent assertion in getFailure() #​48973
• Highlight the importance of the preStop hook when configuring Kubernetes probes #​48936

🔨 Dependency Upgrades

• Upgrade to AssertJ 3.27.7 #​49075
• Upgrade to Groovy 4.0.30 #​49076
• Upgrade to Hibernate 6.6.42.Final #​49077
• Upgrade to Jaybird 6.0.4 #​49078
• Upgrade to JBoss Logging 3.6.2.Final #​49079
• Upgrade to Jetty 12.0.32 #​49080
• Upgrade to jOOQ 3.19.30 #​49081
• Upgrade to Logback 1.5.32 #​49243
• Upgrade to Micrometer 1.15.9 #​49064
• Upgrade to Micrometer Tracing 1.5.9 #​49065
• Upgrade to MySQL 9.6.0 #​49083
• Upgrade to Netty 4.1.131.Final #​49165
• Upgrade to Postgresql 42.7.10 #​49201
• Upgrade to Reactor Bom 2024.0.15 #​49066
• Upgrade to Spring Authorization Server 1.5.6 #​49067
• Upgrade to Spring Data Bom 2025.0.9 #​49068
• Upgrade to Spring Framework 6.2.16 #​49069
• Upgrade to Spring GraphQL 1.4.5 #​49070
• Upgrade to Spring Integration 6.5.7 #​49071
• Upgrade to Spring Kafka 3.3.13 #​49244
• Upgrade to Spring LDAP 3.3.6 #​49072
• Upgrade to Spring Pulsar 1.2.15 #​49073
• Upgrade to Spring Security 6.5.8 #​49225
• Upgrade to Spring Session 3.5.5 #​49074
• Upgrade to Tomcat 10.1.52 #​49084
• Upgrade to Undertow 2.3.23.Final #​49166

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​dsyer, @​linkian209, @​nosan, @​quaff, @​scordio, and @​srt

v3.5.10

🐞 Bug Fixes

• Evaluation of bean conditions unnecessarily queries the bean factory for types that are not present #​48836
• When a bean condition references a type that is not present, it appears as ? in the condition evaluation report #​48835
• Actuator /info endpoint fails in Java 25 Native Image (VirtualThreadSchedulerMXBean support) #​48810
• DataSourceBuilder cannot create oracle.ucp.jdbc.PoolDataSourceImpl in a native image #​48702
• Application JAR created by extract command is not reproductible #​48664
• AOT processing of tests should not be disabled when 'skipTests' is set #​48661
• Fix zero-length byte buffer in InspectedContent #​48649

📔 Documentation

• Update documentation for Buildpack's AOT Cache support #​48768
• Document support for configuring arguments passed to Docker Compose #​48657
• Clarify javadoc to make it clear that HazelcastConfigCustomizer beans are only applied if Hazelcast is configured via a config file #​48634
• Fix grammar and typos in the reference guide #​48596

🔨 Dependency Upgrades

• Upgrade to Classmate 1.7.3 #​48775
• Upgrade to Hibernate 6.6.41.Final #​48881
• Upgrade to HttpClient5 5.5.2 #​48777
• Upgrade to Logback 1.5.25 #​48882
• Upgrade to Micrometer 1.15.8 #​48705
• Upgrade to Micrometer Tracing 1.5.8 #​48706
• Upgrade to Pooled JMS 3.1.9 #​48779
• Upgrade to Postgresql 42.7.9 #​48883
• Upgrade to R2DBC MSSQL 1.0.4.RELEASE #​48847
• Upgrade to Reactor Bom 2024.0.14 #​48707
• Upgrade to REST Assured 5.5.7 #​48884
• Upgrade to Spring AMQP 3.2.9 #​48909
• Upgrade to Spring Data Bom 2025.0.8 #​48708
• Upgrade to Spring Integration 6.5.6 #​48921
• Upgrade to Spring Kafka 3.3.12 #​48709
• Upgrade to Spring Pulsar 1.2.14 #​48710
• Upgrade to Undertow 2.3.22.Final #​48848
• Upgrade to WebJars Locator Lite 1.1.3 #​48780

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GaoSSR, @​izeye, and @​ngocnhan-tran1996

v3.5.9

Compare Source

🐞 Bug Fixes

• RabbitHealthIndicator reports an error when version is missing from the connection's server properties #​48486
• Profiles retained during AOT processing are not configured in a native image #​48475
• NullPointerException in UndertowWebServer.destroy() when using @DirtiesContext and Citrus Spring Boot Simulator #​48450
• Redis health check reports an error when redis_version is missing from the INFO response #​48326
• Parent's MeterRegistry beans are closed when child context closes #​48324
• SpringBootTest.UseMainMethod.WHEN_AVAILABLE and ALWAYS are incompatible with package-private or parameter-less main method #​48271

📔 Documentation

• Documentation has an outdated reference to the Jackson Kotlin Module #​48533
• Caching documentation should clarify how to use a no-op implementation to run a test suite #​48531
• Document that the default rolling policy for Log4j2 requires logging.file.path to be set #​48526
• License header in build samples is displayed in the reference documentation #​48477
• Configuring Two DataSources How-To code sample is inconsistent #​48448
• Improve javadoc for when to use class names rather than class references #​48395
• Document that org.aspectj.weaver.Advice must be on the classpath to enable support for Micrometer's annotations #​48359
• Polish TestRestTemplate examples in the reference guide #​48335
• Fix links to javadoc in the reference documentation #​48299
• Clarify that @EnableBatchProcessing turns off all batch auto-configuration, including schema initialization #​48265
• Kotlin auto-configuration examples are not annotated with @AutoConfiguration #​48227
• Infinispan Cache Documentation is outdated #​48217
• Revise "Use Liquibase for test-only migrations" section in reference manual #​48169

🔨 Dependency Upgrades

• Prevent upgrade to Netty 4.1.129.Final #​48508
• Upgrade to AspectJ 1.9.25.1 #​48557
• Upgrade to Hibernate 6.6.39.Final #​48540
• Upgrade to Jetty 12.0.31 #​48455
• Upgrade to jOOQ 3.19.29 #​48456
• Upgrade to Logback 1.5.22 #​48507
• Upgrade to MariaDB 3.5.7 #​48558
• Upgrade to Micrometer 1.15.7 #​48423
• Upgrade to Micrometer Tracing 1.5.7 #​48424
• Upgrade to Netty 4.1.130.Final #​48541
• Upgrade to Pooled JMS 3.1.8 #​48559
• Upgrade to Pulsar 4.0.8 #​48457
• Upgrade to Quartz 2.5.2 #​48458
• Upgrade to Reactor Bom 2024.0.13 #​48425
• Upgrade to Spring Authorization Server 1.5.5 #​48426
• Upgrade to Spring Data Bom 2025.0.7 #​48427
• Upgrade to Spring Framework 6.2.15 #​48428
• Upgrade to Spring GraphQL 1.4.4 #​48429
• Upgrade to Spring Integration 6.5.5 #​48560
• Upgrade to Spring LDAP 3.3.5 #​48430
• Upgrade to Spring Pulsar 1.2.13 #​48431
• Upgrade to Spring Session 3.5.4 #​48432
• Upgrade to Testcontainers 1.21.4 #​48542
• Upgrade to UnboundID LDAPSDK 7.0.4 #​48459

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​banseok1216, @​berry120, @​dmitrysulman, @​geopark021, @​noojung, @​scottfrederick, @​vpavic, and @​youngledo

v3.5.8

Compare Source

⚠️ Noteworthy changes

• This release contains a fix to get Testcontainers working with modern Docker versions. If this causes problems in your setup, you can downgrade the minimum Docker API, effectively reverting that change.

🐞 Bug Fixes

• Gradle war task does not exclude starter POMs from lib-provided #​48196
• Testcontainers integration fails on Docker 29.0.0 #​48192
• SslMeterBinder doesn't register metrics for dynamically added bundles if no bundles exist at bind time #​48180
• Properties bound in the child management context ignore the parent's environment prefix #​48176
• ssl.chain.expiry metrics doesn't update for dynamically registered SSL bundles #​48153
• Auto-configuration exclusions are checked using a different class loader to the one that loads auto-configuration classes #​48129
• New arm64 macbooks fail to bootBuildImage due to incorrect platform image #​48127
• NullPointerException when using @ConditionalOnSingleCandidate with multiple manually registered singletons #​48123
• Buildpack fails with recent Docker installs due to hardcoded version in URL #​48102
• Image building may fail when specifying a platform if an image has already been built with a different platform #​48098
• Undertow's ServletContext is destroy too early, making it unusable in @PreDestroy methods #​48061
• PortInUseException incorrectly thrown on failure to bind port due to Netty IP misconfiguration #​48058
• Auto-configured JCacheMetrics cannot be customized #​48056
• WebSecurityCustomizer beans are excluded by WebMvcTest #​48054
• Devtools Restarter does not work with a parameterless main method #​47987
• Setting 'max-uri-tags' does not prevent unlimited meter growth on any AutoConfiguredCompositeMeterRegistry #​47923
• Docker response 407 is not handled correctly resulting in no error message #​47900
• spring-boot-maven-plugin process-aot goal does not find package-private main method #​47780

📔 Documentation

• Revise AWS section of "Deploying to the Cloud" in reference manual #​48156
• Fix typo in PortInUseException Javadoc #​48133
• Correct section about required setters in "Type-safe Configuration Properties" #​48130
• Document EndpointObjectMapper and management.endpoints.jackson.isolated-object-mapper #​48114
• Document support for configuring servlet context init parameters using properties #​48111
• Clarify how warnings about soon-to-expire SSL certificates are reported #​48062
• Document how to use ContextPropagatingTaskDecorator for propagating trace context over thread boundaries #​48052
• Use since attribute in configuration properties deprecation consistently #​47980
• BootstrapContext#getOrElseThrow has incorrect reference to IllegalStateException #​47905
• Clarify when BootstrapContext get methods may return null rather than throwing an exception or calling the fallback supplier #​47898
• Document that Actuator endpoint may have at most one extension of each type #​47873
• Limit Kotlin API documentation to Kotlin-specific APIs #​47859
• Adapt AOTCache documentation to JEP 514 #​47274

🔨 Dependency Upgrades

• Downgrade to Cassandra Driver 4.19.0 #​47926
• Upgrade to AspectJ 1.9.25 #​48005
• Upgrade to Caffeine 3.2.3 #​48006
• Upgrade to Cassandra Driver 4.19.2 #​48183
• Upgrade to DB2 JDBC 12.1.3.0 #​48083
• Upgrade to Hibernate 6.6.36.Final #​48148
• Upgrade to Jackson Bom 2.19.4 #​48008
• Upgrade to Jetty 12.0.30 #​48118
• Upgrade to Jetty Reactive HTTPClient 4.0.13 #​48149
• Upgrade to jOOQ 3.19.28 #​48084
• Upgrade to Logback 1.5.21 #​48085
• Upgrade to Micrometer 1.15.6 #​48009
• Upgrade to Micrometer Tracing 1.5.6 #​48010
• Upgrade to MySQL 9.5.0 #​48011
• Upgrade to Neo4j Java Driver 5.28.10 #​48044
• Upgrade to Quartz 2.5.1 #​48012
• Upgrade to R2DBC Postgresql 1.0.9.RELEASE #​48013
• Upgrade to Reactor Bom 2024.0.12 #​48014
• Upgrade to Spring Data Bom 2025.0.6 #​48039
• Upgrade to Spring Framework 6.2.14 #​48166
• Upgrade to Spring Integration 6.5.4 #​48040
• Upgrade to Spring Kafka 3.3.11 #​48041
• Upgrade to Spring Pulsar 1.2.12 #​48042
• Upgrade to Spring Security 6.5.7 #​48043
• Upgrade to Tomcat 10.1.49 #​48086

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​K-jun98, @​TerryTaoYY, @​hojooo, @​linw-bai, @​mipo256, @​namest504, @​ngocnhan-tran1996, @​nosan, @​scottfrederick, @​siva-sai-udaygiri, @​tschut, and @​vpavic

v3.5.7

Compare Source

⭐ New Features

• Add TWENTY_FIVE to JavaVersion enum #​47609

🐞 Bug Fixes

• Signed jar verification fails when nested in an uber war running on an Oracle JVM #​47771
• In an uber war, value of the Sbom-Location manifest attribute does not match the SBOM's actual location #​47737
• Homebrew formula for the CLI should use libexec #​47722
• When virtual threads are enabled, embedded Jetty does not use recommended virtual thread configuration #​47717
• ClientHttpRequestFactoryRuntimeHints is missing timeout methods with Duration overloads #​47678
• OnBeanCondition no longer correctly finds annotations on scoped target proxy beans #​47635
• JavaVersion doesn't work reliably in native-image #​47620
• LiquibaseEndpoint always uses defaultSchema instead of liquibaseSchema #​47346
• Launcher fails to find main method when it is parameterless #​47311
• Package private Main class using Java 25 is not found by build plugins #​47309
• Bitnami legacy images are not automatically detected #​47275
• Maven plugin does not provide an easy way to exclude optional dependencies from uber jar #​25403

📔 Documentation

• Some spring.test.* properties are not documented #​47775
• Dependency management for Maven AntRun Plugin is missing changelog link #​47744
• Developing Your First Spring Boot Application has outdated tools #​47700
• Include deprecated configuration properties in the reference documentation #​47669
• Aggregated Javadoc should link to the proper version of JakartaEE #​47593
• Update javadoc of TestRestTemplate following change to redirect behavior #​47474
• Use non-deprecated syntax to configure sourceCompatibility #​47343
• Fix link to Framework's @Bean annotation #​47330
• Update managed dependency version override examples in documentation #​47306

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 6.1.8 #​47767
• Upgrade to Angus Mail 2.0.5 #​47525
• Upgrade to AssertJ 3.27.6 #​47526
• Upgrade to Byte Buddy 1.17.8 #​47527
• Upgrade to Cassandra Driver 4.19.1 #​47768
• Upgrade to Classmate 1.7.1 #​47528
• Upgrade to Elasticsearch Client 8.18.8 #​47671
• Upgrade to Glassfish JAXB 4.0.6 #​47529
• Upgrade to GraphQL Java 24.3 #​47755
• Upgrade to Groovy 4.0.29 #​47713
• Upgrade to Hibernate 6.6.33.Final #​47530
• Upgrade to HttpClient5 5.5.1 #​47531
• Upgrade to HttpCore5 5.3.6 #​47532
• Upgrade to Jakarta Mail 2.1.5 #​47533
• Upgrade to Jakarta XML Bind 4.0.4 #​47242
• Upgrade to Jetty 12.0.29 #​47728
• Upgrade to Jetty Reactive HTTPClient 4.0.12 #​47534
• Upgrade to jOOQ 3.19.27 #​47536
• Upgrade to Logback 1.5.20 #​47714
• Upgrade to Lombok 1.18.42 #​47538
• Upgrade to Maven Compiler Plugin 3.14.1 #​47539
• Upgrade to Micrometer 1.15.5 #​47457
• Upgrade to Micrometer Tracing 1.5.5 #​47458
• Upgrade to MongoDB 5.5.2 #​47648
• Upgrade to MSSQL JDBC 12.10.2.jre11 #​47612
• Upgrade to Netty 4.1.128.Final #​47649
• Upgrade to Postgresql 42.7.8 #​47540
• Upgrade to Pulsar 4.0.7 #​47541
• Upgrade to R2DBC H2 1.0.1.RELEASE #​47729
• Upgrade to R2DBC Postgresql 1.0.8.RELEASE #​47542
• Upgrade to Reactor Bom 2024.0.11 #​47459
• Upgrade to RxJava3 3.1.12 #​47543
• Upgrade to Spring AMQP 3.2.8 #​47614
• Upgrade to Spring Authorization Server 1.5.3 #​47460
• Upgrade to Spring Batch 5.2.4 #​47487
• Upgrade to Spring Data Bom 2025.0.5 #​47461
• Upgrade to Spring Framework 6.2.12 #​47462
• Upgrade to Spring GraphQL 1.4.3 #​47754
• Upgrade to Spring Integration 6.5.3 #​47615
• Upgrade to Spring LDAP 3.3.4 #​47463
• Upgrade to Spring Pulsar 1.2.11 #​47464
• Upgrade to Spring Security 6.5.6 #​47465
• Upgrade to Spring Session 3.5.3 #​47466
• Upgrade to Spring WS 4.1.2 #​47467
• Upgrade to Tomcat 10.1.48 #​47613
• Upgrade to Undertow 2.3.20.Final #​47545
• Upgrade to WebJars Locator Lite 1.1.2 #​47546

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​DKARAGODIN, @​JinhyeokFang, @​Lublanski, @​Pankraz76, @​fhiyo, @​ngocnhan-tran1996, @​nosan, @​scottfrederick, and @​xyraclius

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!