diff --git a/changelog/5.0.3_2024-05-02/CVE-2023-36308.md b/changelog/5.0.3_2024-05-02/CVE-2023-36308.md
new file mode 100644
index 0000000000..a8abb03212
--- /dev/null
+++ b/changelog/5.0.3_2024-05-02/CVE-2023-36308.md
@@ -0,0 +1,7 @@
+Bugfix: Crash when processing crafted TIFF files
+
+Fix for a vulnerability with low severity in disintegration/imaging.
+
+https://github.com/advisories/GHSA-q7pp-wcgr-pffx
+https://github.com/owncloud/ocis/pull/8981
+
diff --git a/changelog/5.0.3_2024-05-02/bump-reva.md b/changelog/5.0.3_2024-05-02/bump-reva.md
new file mode 100644
index 0000000000..30c7480f97
--- /dev/null
+++ b/changelog/5.0.3_2024-05-02/bump-reva.md
@@ -0,0 +1,11 @@
+Bugfix: Update reva to v2.19.6
+
+We updated reva to v2.19.6
+
+*   Bugfix      [cs3org/reva#4654](https://github.com/cs3org/reva/pull/4654): Write blob based on session id
+*   Bugfix      [cs3org/reva#4666](https://github.com/cs3org/reva/pull/4666): Fix uploading via a public link
+*   Bugfix      [cs3org/reva#4665](https://github.com/cs3org/reva/pull/4665): Fix creating documents in nested folders of public shares
+*   Enhancement [cs3org/reva#4655](https://github.com/cs3org/reva/pull/4655): Bump mockery to v2.40.2
+*   Enhancement [cs3org/reva#4664](https://github.com/cs3org/reva/pull/4664): Add ScanData to Uploadsession
+
+https://github.com/owncloud/ocis/pull/9011
diff --git a/changelog/5.0.3_2024-05-02/fix-admin-role-assignment.md b/changelog/5.0.3_2024-05-02/fix-admin-role-assignment.md
new file mode 100644
index 0000000000..30e20f041c
--- /dev/null
+++ b/changelog/5.0.3_2024-05-02/fix-admin-role-assignment.md
@@ -0,0 +1,7 @@
+Bugfix: Update the admin user role assignment to enforce the config
+
+The admin user role assigment was not updated after the first assignment. We now read the assigned role during init and update the admin user ID accordingly if the role is not assigned.
+This is especially needed when the OCIS_ADMIN_USER_ID is set after the autoprovisioning of the admin user when it originates from an external Identity Provider.
+
+https://github.com/owncloud/ocis/pull/8918
+https://github.com/owncloud/ocis/pull/8897
diff --git a/changelog/5.0.3_2024-05-02/rework-virus-handling.md b/changelog/5.0.3_2024-05-02/rework-virus-handling.md
new file mode 100644
index 0000000000..4baade52f3
--- /dev/null
+++ b/changelog/5.0.3_2024-05-02/rework-virus-handling.md
@@ -0,0 +1,5 @@
+Bugfix: Fix infected file handling
+
+Reworks virus handling. Shows scandate and outcome on ocis storage-users uploads sessions. Avoids retrying infected files on ocis postprocessing restart.
+
+https://github.com/owncloud/ocis/pull/9011
diff --git a/deployments/continuous-deployment-config/ocis_keycloak/released.yml b/deployments/continuous-deployment-config/ocis_keycloak/released.yml
index 159518eb96..f614eefb21 100644
--- a/deployments/continuous-deployment-config/ocis_keycloak/released.yml
+++ b/deployments/continuous-deployment-config/ocis_keycloak/released.yml
@@ -32,7 +32,7 @@
         env:
           INSECURE: "false"
           TRAEFIK_ACME_MAIL: mbarz@owncloud.com
-          OCIS_DOCKER_TAG: 5.0.2
+          OCIS_DOCKER_TAG: 5.0.3
           OCIS_DOMAIN: ocis.ocis-keycloak.released.owncloud.works
           KEYCLOAK_DOMAIN: keycloak.ocis-keycloak.released.owncloud.works
           COMPOSE_FILE: docker-compose.yml:monitoring_tracing/docker-compose-additions.yml
diff --git a/deployments/continuous-deployment-config/ocis_ldap/released.yml b/deployments/continuous-deployment-config/ocis_ldap/released.yml
index fae0f76d4b..e7883b9f58 100644
--- a/deployments/continuous-deployment-config/ocis_ldap/released.yml
+++ b/deployments/continuous-deployment-config/ocis_ldap/released.yml
@@ -32,7 +32,7 @@
         env:
           INSECURE: "false"
           TRAEFIK_ACME_MAIL: mbarz@owncloud.com
-          OCIS_DOCKER_TAG: 5.0.2
+          OCIS_DOCKER_TAG: 5.0.3
           OCIS_DOMAIN: ocis.ocis-ldap.released.owncloud.works
           LDAP_MANAGER_DOMAIN: ldap.ocis-ldap.released.owncloud.works
           COMPOSE_FILE: docker-compose.yml:monitoring_tracing/docker-compose-additions.yml
diff --git a/deployments/continuous-deployment-config/ocis_traefik/released.yml b/deployments/continuous-deployment-config/ocis_traefik/released.yml
index 67d79a9446..76767fabbb 100644
--- a/deployments/continuous-deployment-config/ocis_traefik/released.yml
+++ b/deployments/continuous-deployment-config/ocis_traefik/released.yml
@@ -32,7 +32,7 @@
         env:
           INSECURE: "false"
           TRAEFIK_ACME_MAIL: mbarz@owncloud.com
-          OCIS_DOCKER_TAG: 5.0.2
+          OCIS_DOCKER_TAG: 5.0.3
           OCIS_DOMAIN: ocis.ocis-traefik.released.owncloud.works
           DEMO_USERS: "true"
           INBUCKET_DOMAIN: mail.ocis-traefik.released.owncloud.works
diff --git a/deployments/continuous-deployment-config/ocis_wopi/released.yml b/deployments/continuous-deployment-config/ocis_wopi/released.yml
index ccb00d0278..7eab00c53a 100644
--- a/deployments/continuous-deployment-config/ocis_wopi/released.yml
+++ b/deployments/continuous-deployment-config/ocis_wopi/released.yml
@@ -32,7 +32,7 @@
         env:
           INSECURE: "false"
           TRAEFIK_ACME_MAIL: mbarz@owncloud.com
-          OCIS_DOCKER_TAG: 5.0.2
+          OCIS_DOCKER_TAG: 5.0.3
           OCIS_DOMAIN: ocis.ocis-wopi.released.owncloud.works
           COMPANION_DOMAIN: companion.ocis-wopi.released.owncloud.works
           COMPANION_IMAGE: owncloud/uppy-companion:3.12.13-owncloud