diff --git a/CHANGELOG.md b/CHANGELOG.md
index 137b1462..d89b840f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## [0.15.17.0] - 2026-04-07
+
+### Fixed
+- Cookie picker no longer leaks the browse server auth token. Previously, opening the cookie picker page exposed the master bearer token in the HTML source, letting any local process extract it and execute arbitrary JavaScript in your browser session. Now uses a one-time code exchange with an HttpOnly session cookie. The token never appears in HTML, URLs, or browser history. (Reported by Horoshi at Vagabond Research, CVSS 7.8)
+
 ## [0.15.16.0] - 2026-04-06
 
 ### Added
diff --git a/VERSION b/VERSION
index 006a1444..4a2a39e3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.15.16.0
+0.15.17.0