diff --git a/backend/requirements-dev.txt b/backend/requirements-dev.txt
index 42aa7d5c..9f91b44b 100644
--- a/backend/requirements-dev.txt
+++ b/backend/requirements-dev.txt
@@ -1,11 +1,11 @@
 # Development and CI tool versions — pinned to match CI pipeline
 black==24.10.0
-flake8==7.1.1
-mypy==1.19.1
+flake8==7.3.0
+mypy==1.20.2
 isort==5.13.2
-pytest==9.0.2
+pytest==9.0.3
 pytest-cov==7.1.0
 pytest-timeout==2.4.0
 pytest-asyncio==1.3.0
-bandit==1.8.3
-safety==3.3.1
+bandit==1.9.4
+safety==3.7.0
diff --git a/backend/requirements.txt b/backend/requirements.txt
index 8f96a7e5..4f0d9161 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -4,20 +4,20 @@
 # FIPS 140-2: OpenSSL 3.x FIPS provider (portable, not tied to Red Hat)
 
 # Core web framework
-fastapi==0.129.0
-uvicorn[standard]==0.40.0
+fastapi==0.136.1
+uvicorn[standard]==0.46.0
 starlette==0.52.1  # Security: CVE-2025-62727 fixed
-python-multipart==0.0.22
+python-multipart==0.0.26
 
 # Database (PostgreSQL only)
-SQLAlchemy==2.0.46
+SQLAlchemy==2.0.49
 alembic==1.18.4
-psycopg2-binary==2.9.11
+psycopg2-binary==2.9.12
 asyncpg==0.31.0
 
 
 # Authentication & Security
-PyJWT==2.11.0
+PyJWT==2.12.1
 passlib==1.7.4
 bcrypt==5.0.0
 argon2-cffi==25.1.0
@@ -26,32 +26,32 @@ qrcode==7.4.2
 cryptography==46.0.5
 # pyOpenSSL: transitive via pysaml2; pinning explicitly to avoid 22.0.0
 # CVE-2026-27448 and CVE-2026-27459 that are pulled in as a transitive.
-pyOpenSSL==26.0.0
+pyOpenSSL==26.1.0
 
 # SSH
 paramiko==3.5.0
 
 # HTTP Client (consolidated — requests and aiohttp removed)
 httpx==0.28.1
-aiohttp==3.13.3  # Keep: Kensa updater plugin depends on it
+aiohttp==3.13.5  # Keep: Kensa updater plugin depends on it
 
 # Data Validation
-pydantic==2.12.5
-pydantic-settings==2.13.0
+pydantic==2.13.3
+pydantic-settings==2.14.0
 email-validator==2.3.0
 
 # Configuration
-python-dotenv==1.2.1
+python-dotenv==1.2.2
 PyYAML==6.0.3
 Jinja2==3.1.6  # Report HTML templating
 
 # Observability
-opentelemetry-api==1.39.1
-opentelemetry-sdk==1.39.1
-opentelemetry-instrumentation-fastapi==0.60b1
-opentelemetry-instrumentation-sqlalchemy==0.60b1
-opentelemetry-exporter-otlp==1.39.1
-prometheus-client==0.24.1
+opentelemetry-api==1.41.1
+opentelemetry-sdk==1.41.1
+opentelemetry-instrumentation-fastapi==0.62b1
+opentelemetry-instrumentation-sqlalchemy==0.62b1
+opentelemetry-exporter-otlp==1.41.1
+prometheus-client==0.25.0
 psutil==7.2.2
 
 # Email