diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 62b63fe2e7..f1a20af5da 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -122,6 +122,12 @@ Changelog
  * Fix: Make sure all modal chooser search results correspond to the latest search by canceling previous requests (Esper Kuijs)
 
 
+2.7.3 (04.05.2020)
+~~~~~~~~~~~~~~~~~~
+
+ * Fix: CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)
+
+
 2.7.2 (14.04.2020)
 ~~~~~~~~~~~~~~~~~~
 
diff --git a/docs/releases/2.7.3.rst b/docs/releases/2.7.3.rst
new file mode 100644
index 0000000000..4f09be4772
--- /dev/null
+++ b/docs/releases/2.7.3.rst
@@ -0,0 +1,10 @@
+===========================
+Wagtail 2.7.3 release notes
+===========================
+
+CVE-2020-11037: Potential timing attack on password-protected private pages
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is `understood to be feasible on a local network, but not on the public internet <https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ>`_.)
+
+Many thanks to Thibaud Colas for reporting this issue.
diff --git a/docs/releases/index.rst b/docs/releases/index.rst
index 680d2ccb15..d655a3abfc 100644
--- a/docs/releases/index.rst
+++ b/docs/releases/index.rst
@@ -9,6 +9,7 @@ Release notes
    2.9
    2.8.1
    2.8
+   2.7.3
    2.7.2
    2.7.1
    2.7