diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1e16afdc..455c74cd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## [4.10.16](https://github.com/parse-community/parse-server/compare/4.10.15...4.10.16) (2022-09-20)
+
+
+### Bug Fixes
+
+* authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) ([#8186](https://github.com/parse-community/parse-server/issues/8186)) ([b3e7939](https://github.com/parse-community/parse-server/commit/b3e7939f6bf7d4d295143c5d9b90deb9c25c58b7))
+
 ## [4.10.15](https://github.com/parse-community/parse-server/compare/4.10.14...4.10.15) (2022-09-20)
 
 
diff --git a/package-lock.json b/package-lock.json
index 25789a00..ffea049f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "4.10.15",
+  "version": "4.10.16",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/package.json b/package.json
index 5ed70c54..cf72cf14 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "4.10.15",
+  "version": "4.10.16",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {