diff --git a/generators/java/sdk/Dockerfile b/generators/java/sdk/Dockerfile
index 1c75a9c55a29..e6c85713eaa3 100644
--- a/generators/java/sdk/Dockerfile
+++ b/generators/java/sdk/Dockerfile
@@ -74,6 +74,8 @@ RUN rm -f /opt/gradle/lib/plugins/bcpg-jdk18on-*.jar \
 # Security update 2026-05-04: add glibc/glibc-common/glibc-minimal-langpack
 # (CVE-2026-4046, iconv() assertion failure when converting IBM1390/IBM1399
 # inputs; fixed in glibc 2.34-231.amzn2023.0.4)
+# Security update 2026-05-18: add libgcrypt (CVE-2026-41989, heap-based
+# buffer overflow in gcry_pk_decrypt; fixed in 1.10.2-1.amzn2023.0.3)
 RUN dnf --releasever=latest update -y \
     openssl-fips-provider-latest \
     openssl-libs \
@@ -96,7 +98,8 @@ RUN dnf --releasever=latest update -y \
     libnghttp2 \
     glibc \
     glibc-common \
-    glibc-minimal-langpack && \
+    glibc-minimal-langpack \
+    libgcrypt && \
     dnf remove -y git-lfs wget || true && \
     dnf clean all && \
     rm -rf /var/cache/dnf
diff --git a/generators/java/sdk/changes/4.8.9/fix-cve-2026-41989-libgcrypt.yml b/generators/java/sdk/changes/4.8.9/fix-cve-2026-41989-libgcrypt.yml
new file mode 100644
index 000000000000..a91810d9dbcd
--- /dev/null
+++ b/generators/java/sdk/changes/4.8.9/fix-cve-2026-41989-libgcrypt.yml
@@ -0,0 +1,4 @@
+- summary: |
+    Fix CVE-2026-41989: update libgcrypt in Docker image to patch heap-based
+    buffer overflow in gcry_pk_decrypt.
+  type: chore
diff --git a/generators/java/sdk/versions.yml b/generators/java/sdk/versions.yml
index ae3ec9a1f448..2ba740652589 100644
--- a/generators/java/sdk/versions.yml
+++ b/generators/java/sdk/versions.yml
@@ -1,4 +1,12 @@
 # yaml-language-server: $schema=../../../fern-versions-yml.schema.json
+- version: 4.8.9
+  changelogEntry:
+    - summary: |
+        Fix CVE-2026-41989: update libgcrypt in Docker image to patch heap-based
+        buffer overflow in gcry_pk_decrypt.
+      type: chore
+  createdAt: "2026-05-18"
+  irVersion: 66
 - version: 4.8.8
   changelogEntry:
     - summary: |