diff --git a/java/ql/lib/change-notes/2025-11-27-spring-rest-template-request-forgery-sinks.md b/java/ql/lib/change-notes/2025-11-27-spring-rest-template-request-forgery-sinks.md
new file mode 100644
index 00000000000..4a18b530472
--- /dev/null
+++ b/java/ql/lib/change-notes/2025-11-27-spring-rest-template-request-forgery-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* URI template variables of all Spring `RestTemplate` methods are now considered as request forgery sinks. Previously only the `getForObject` method was considered. This may lead to more alerts for the query `java/ssrf`.