Upgrade Spring Boot 4.0.1 -> 4.0.3 to fix tomcat-embed-core CVE-2026-24734

meysholdt · ona-agent · meysholdt · commit 30c31ebd8748 · 2026-03-15T03:57:30.000Z
Resolves SNYK-JAVA-ORGAPACHETOMCATEMBED-15307822 (Incorrect Authorization,
high severity) by pulling in tomcat-embed-core 11.0.18 via the Spring Boot
parent BOM upgrade.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/build.gradle b/build.gradle
@@ -1,7 +1,7 @@
 plugins {
   id 'java'
   id 'checkstyle'
-  id 'org.springframework.boot' version '4.0.1'
+  id 'org.springframework.boot' version '4.0.3'
   id 'io.spring.dependency-management' version '1.1.7'
   id 'org.graalvm.buildtools.native' version '0.11.3'
   id 'org.cyclonedx.bom' version '3.0.2'
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>4.0.1</version>
+    <version>4.0.3</version>
   </parent>
   <groupId>org.springframework.samples</groupId>
   <artifactId>spring-petclinic</artifactId>
