diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9f5d64..8179a21 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.31.0
+
+* Upgrade to Nginx 1.31.0 to address CVE-2026-42945 (heap buffer overflow in `ngx_http_rewrite_module`).
+* Switch base from Debian Bookworm (12) to Debian Trixie (13). Upstream Nginx no longer publishes a `-bookworm` tag for 1.31.0.
+
 ## 1.27.4
 
 * Upgrade to Nginx 1.27.4.
diff --git a/Dockerfile b/Dockerfile
index ed5cef2..aa7307b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM nginx:1.27.4-bookworm
+FROM nginx:1.31.0-trixie
 
 ENV NGINX_ENTRYPOINT_QUIET_LOGS=1