diff --git a/CHANGELOG.md b/CHANGELOG.md
index 69f74b9..8c815e8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+### Security
+
+- **CVE-2026-4926**: Upgraded `@modelcontextprotocol/sdk` to `^1.29.0`, resolving `path-to-regexp` to `8.4.1` and fixing the ReDoS vulnerability [GHSA-j3q9-mxjg-w52f](https://github.com/advisories/GHSA-j3q9-mxjg-w52f); regenerated output-validation patch for the new version
+
 ### Public API
 
 - **Add `getAllTools` and `getVersionInfo` to public exports** — `getAllTools` is now re-exported from `@mapbox/mcp-devkit-server/tools` and `getVersionInfo` (plus `VersionInfo` type) from `@mapbox/mcp-devkit-server/utils`. These are needed by `hosted-mcp-server` to import server functionality via npm packages instead of submodule filesystem paths.
diff --git a/cspell.config.json b/cspell.config.json
index e8f6d4a..e31b77f 100644
--- a/cspell.config.json
+++ b/cspell.config.json
@@ -7,7 +7,9 @@
     "isochrone",
     "mapbox",
     "mmss",
-    "tilequery"
+    "tilequery",
+    "GHSA",
+    "mxjg"
   ],
   "ignorePaths": [
     "node_modules",