diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile
index 5942c4785f..cfef0f1ea1 100644
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -74,6 +74,9 @@ RUN --mount=type=secret,id=database_url \
 #
 FROM base AS runner
 
+# Upgrade Alpine system packages to pick up security patches (e.g. zlib CVE-2026-22184)
+RUN apk update && apk upgrade --no-cache
+
 # Update npm to latest, then create user
 # Note: npm's bundled tar has a known vulnerability but npm is only used during build, not at runtime
 RUN npm install --ignore-scripts -g npm@latest \