Spring Boot 4.1 lands gRPC auto-configuration, SSRF mitigation, and the Kotlin 2.3 baseline
Spring Boot 4.1 shipped 2026-06-10 with Spring gRPC auto-configuration for server and client applications, a new InetAddressFilter that blocks SSRF on both reactive and blocking HTTP clients, and a Kotlin baseline upgrade to 2.3.21 alongside Spring Framework 7.0.8.
Spring Boot 4.1 shipped on 2026-06-10 with a feature mix that pulls gRPC into the auto-configuration default, hardens outbound HTTP clients against SSRF at the framework level, and moves the Kotlin baseline to 2.3.21 alongside Spring Framework 7.0.8 and Spring Security 7.1.0. The release is the first GA in the 4.x line to treat gRPC as a first-class transport rather than a community add-on, and the SSRF work codifies a defense the Java ecosystem has previously left to application code.
What shipped
Spring gRPC auto-configuration covers both server and client applications. The server side supports standalone Netty transport and HTTP/2 Servlet integration, exposes the auto-configured ObservationGrpcServerInterceptor for metrics and tracing, and ships @GrpcAdvice for centralized exception handling on the gRPC surface in the same shape @ControllerAdvice has on the MVC surface. The client side resolves stubs through the application context so Boot-managed dependencies and observability plumbing pass through unchanged. The three Spring Boot starters that drive the surface are spring-boot-grpc-server, spring-boot-grpc-client, and spring-boot-grpc-test. Current Spring gRPC 1.0 users have a migration path documented in commits 76ff80a2 and 5ab487f1.
The SSRF mitigation lands as a new InetAddressFilter that both reactive and blocking HTTP clients can be configured against. The filter blocks outgoing requests to specific address ranges by whitelist or blacklist, which gives Spring applications a framework-level guard against the class of attacks where an attacker-supplied URL coerces the server into reaching a private network. Until 4.1, this was application-layer work; the change in 4.1 is that the framework provides a tested implementation and the configuration surface to apply it consistently.
The dependency baseline jumps Kotlin from 2.2 to 2.3.21 (with Kotlin Serialization 1.11.0), which inherits Java 25 compatibility and the experimental unused-return-value checker from the Kotlin 2.3 line. Spring Framework, Spring GraphQL, Spring HATEOAS, Spring Integration, Spring Kafka, Spring Security, and Spring Session all move up a major increment, and Spring gRPC 1.1.0 ships in lockstep with the gRPC starters. Supporting work includes lazy datasource connections through spring.datasource.connection-fetch=lazy, automatic context propagation for @Async methods, expanded OpenTelemetry configuration, Redis listener auto-configuration, and six new fields on the /actuator/info endpoint.
Where this lands in the market
The gRPC story is the headline strategic move. Spring Boot has covered REST, GraphQL, and WebFlux as first-class transports for years, but gRPC has been a starter-by-community territory dominated by net.devh.boot.grpc and similar third-party projects. By moving gRPC inside the Spring Boot starter and observability story, the project is recognizing that gRPC-first internal services have become the default at the Spring-Java enterprise tier the framework historically serves. The pairing with the auto-configured ObservationGrpcServerInterceptor signals the team treats metrics and tracing parity with the existing servlet path as the bar.
The SSRF work reads as a security-baseline move rather than a feature ship. The InetAddressFilter does not change what Spring applications can do; it changes what they fail safe on by default once configured. The framework’s prior approach has been to document defense in reference material and leave the implementation to the application, which is the pattern most Java frameworks share. The framework-level filter shortens the distance between “we know about SSRF” and “the egress is locked down,” which matters most for shops that ship many small Spring services with shared egress policy.
The Kotlin 2.3 baseline is the move that quietly enables the JVM-25 story Java shops are working through this year. Spring Framework 7 already requires Java 17 and supports Java 25; Spring Boot 4.1’s Kotlin upgrade closes the gap for Kotlin-first Spring shops that need 2.3 features to compile cleanly against Java 25 build targets in CI. The other major upgrades (Security 7.1.0, Integration 7.1.0, Kafka 4.1.0) are best treated as supporting work rather than a headline; each carries its own changelog the migrator needs to read carefully.
What’s worth watching
- Third-party gRPC starter sunsetting. With first-party gRPC auto-configuration in Boot, the question is whether the net.devh line and similar community starters consolidate behind Spring’s shape or hold a distinct surface. The next two minor versions of the third-party starters tell which way the ecosystem settles.
- InetAddressFilter adoption pattern. Whether Boot ships a default-deny configuration in 4.2 or holds the opt-in shape as a long-term posture will signal how aggressive the framework is willing to be on egress hardening for greenfield apps. The default in 4.1 is opt-in.
- Kotlin 2.3 stability under Java 25 builds. The Kotlin baseline change inherits the unused-return-value checker, which the Kotlin team marks as experimental. Boot shops on Java 25 will see the checker first; whether the noise level slows adoption or whether 2.3.21’s compatibility holds through Java 25’s mainline release determines how cleanly the Kotlin-Spring lane moves through Q3.
The plain reading is that Spring Boot 4.1 is doing two unrelated kinds of work in one release. The gRPC story is a category-claim that recognizes how internal-service traffic now moves on Java shops, and the SSRF and Kotlin work is the kind of platform hygiene that lets the framework keep its grip on the Java enterprise floor. The risk in 4.1 is the standard 4.x risk: every minor version of Spring Boot in the 4.x line drags a stack of Spring sub-projects with it, and the team’s discipline on coordinated upgrades is the variable that keeps 4.1 a quiet migration rather than a noisy one.