diff --git a/CHANGELOG.md b/CHANGELOG.md
index 593e735db..e7778bdc5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added per-step token cost tracking and estimated tool call token usage to Ask Sourcebot chat history. [#1353](https://github.com/sourcebot-dev/sourcebot/pull/1353)
 
+### Fixed
+- Upgraded `golang.org/x/crypto` to `^0.52.0` in the zoekt build to address CVE-2026-39827. [#1363](https://github.com/sourcebot-dev/sourcebot/pull/1363)
+
 ## [5.0.4] - 2026-06-18
 
 ### Changed
diff --git a/Dockerfile b/Dockerfile
index 6c6b2439f..c78f35b55 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,6 +26,10 @@ WORKDIR /zoekt
 COPY vendor/zoekt/go.mod vendor/zoekt/go.sum ./
 RUN go mod download
 COPY vendor/zoekt ./
+# Force-upgrade golang.org/x/crypto to a patched version to address CVE-2026-39827
+# (unbounded memory growth from repeatedly-rejected SSH channels). This pulls the
+# fixed version into the built zoekt binaries; remove once vendor/zoekt pins >= v0.52.0.
+RUN go get golang.org/x/crypto@v0.52.0
 RUN CGO_ENABLED=0 GOOS=linux go build -o /cmd/ ./cmd/...
 # -------------------------