diff --git a/CHANGELOG.md b/CHANGELOG.md
index f96310ee..31c9331d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@
 This patch release fixes a [memory leak](https://github.com/jwtk/jjwt/issues/392) found in the DEFLATE compression 
 codec implementation.
 
+It also updates the Jackson dependency version to [2.9.9.1](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#patches)
+to address three security vulnerabilities in Jackson:
+[CVE-2019-12086](https://nvd.nist.gov/vuln/detail/CVE-2019-12086),
+[CVE-2019-12384](https://nvd.nist.gov/vuln/detail/CVE-2019-12384), and
+[CVE-2019-12814](https://nvd.nist.gov/vuln/detail/CVE-2019-12814).
+
 ### 0.10.6
 
 This patch release updates the jackson-databind version to 2.9.8 to address a critical security vulnerability in that
diff --git a/pom.xml b/pom.xml
index 691f0743..88dc6a7c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -88,7 +88,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <buildNumber>${user.name}-${maven.build.timestamp}</buildNumber>
 
-        <jackson.version>2.9.8</jackson.version>
+        <jackson.version>2.9.9.1</jackson.version>
         <orgjson.version>20180130</orgjson.version>
 
         <!-- Optional Runtime Dependencies: -->