diff --git a/CHANGELOG.md b/CHANGELOG.md
index 23e2f51..a27b2f7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## [4.0.1](https://github.com/auth0/node-xml-encryption/compare/v4.0.0...v4.0.1) (2026-06-25)
+
+### Bug Fixes
+
+* bump @xmldom/xmldom to 0.8.13 to address CVE-2026-34601 ([#128](https://github.com/auth0/node-xml-encryption/issues/128)) ([5980ce6](https://github.com/auth0/node-xml-encryption/commit/5980ce66534c545431f862b4daa3143cfc08e677))
+
 ## [4.0.0](https://github.com/auth0/node-xml-encryption/compare/v3.1.0...v4.0.0) (2026-03-31)
 
 ### ⚠ BREAKING CHANGES
diff --git a/package-lock.json b/package-lock.json
index 2aa9802..7b6a5d1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "xml-encryption",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "xml-encryption",
-      "version": "4.0.0",
+      "version": "4.0.1",
       "license": "MIT",
       "dependencies": {
         "@xmldom/xmldom": "^0.8.13",
diff --git a/package.json b/package.json
index 30f8111..2d94c7a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "xml-encryption",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "devDependencies": {
     "@commitlint/cli": "^20.3.1",
     "@commitlint/config-conventional": "^20.3.1",