diff --git a/CHANGELOG.md b/CHANGELOG.md
index ff432cdd2a..3c023dd3fa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,19 @@
+4.82.0
+======
+
+### Highlights
+This release expands extensibility for confidential-client authentication (certificates + client assertions), adds additional sovereign cloud environments, and hardens security-sensitive flows (mTLS PoP and system browser auth) with clearer validation and safer defaults.
+
+### Features
+* **Certificate-based confidential client extensibility:** Introduced `CertificateOptions` and updated `WithCertificate` extensibility APIs to accept it, including support for passing `sendX5C` configuration through the options model. ([#5655](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5655))
+* **Sovereign cloud support:** Added instance discovery / authority validation support for Bleu (France), Delos (Germany), and GovSG (Singapore) cloud environments. ([#5671](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5671))
+* **Client assertion customization:** Added `WithExtraClientAssertionClaims` on `AcquireTokenForClientParameterBuilder` to enable supplying additional signed claims in client assertions (intended for advanced scenarios and higher-level libraries). ([#5650](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5650))
+* **mTLS PoP guardrails:** Added validation and explicit error handling when mTLS PoP is requested for unsupported environments and/or non-`login.*` hosts. ([#5684](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5684))
+* **System browser hardening:** Added `response_mode=form_post` support for the default system browser (loopback) flow. MSAL will enforce `form_post` and process the authorization response from POST data. ([#5678](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5678))
+
+### Changes
+* **Key Attestation packaging rename:** `Microsoft.Identity.Client.MtlsPop` renamed to `Microsoft.Identity.Client.KeyAttestation` (assembly/package naming update). ([#5653](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5653))
+
 4.81.0
 ======