diff --git a/SECURITY.md b/SECURITY.md
index b65d3c7b..cf186710 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -15,8 +15,9 @@ Please target reports against :white_check_mark: or current master. Please under
| Version | Status |
| ------- | ------------------ |
-| 25.0.0 | :white_check_mark: |
-| 24.1.1 | :white_check_mark: |
+| 26.0.0 | :white_check_mark: |
+| 25.3.0 | :white_check_mark: |
+| 24.1.1 | :x: |
| 23.0.0 | :x: |
| 22.0.0 | :x: |
| < 22.0 | :x: |
diff --git a/docs/content/2026-news.md b/docs/content/2026-news.md
index 8799fc5d..5b32cc70 100644
--- a/docs/content/2026-news.md
+++ b/docs/content/2026-news.md
@@ -1,6 +1,101 @@
# Changelog - 2026
+## 26.0.0 - 2026-05-05
+
+### Breaking Changes
+
+- **Eventlet worker removed**: The `eventlet` worker class has been dropped.
+ Migrate to `gevent`, `gthread`, or `tornado`.
+
+### New Features
+
+- **ASGI Framework Compatibility Suite**: New end-to-end compatibility test
+ harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep.
+ Current grid passes 438/444 tests (98%).
+
+- **ASGI Test Suite Expansion**: 134 additional ASGI unit tests covering
+ protocol semantics, lifespan, websockets, and chunked framing.
+
+### Security
+
+- **HTTP/1.1 Request-Target Validation** (RFC 9112 sections 3.2.3, 3.2.4):
+ - Reject `authority-form` request-target outside `CONNECT`
+ - Reject `asterisk-form` request-target outside `OPTIONS`
+ - Reject `relative-reference` request-targets
+
+- **Header Field Hardening** (RFC 9110):
+ - Reject control characters in header field-value (section 5.5)
+ - Reject forbidden trailer field-names (section 6.5.1)
+ - Reject `Content-Length` list form (RFC 9112 section 6.3)
+
+- **Request Smuggling Hardening**:
+ - Tighten keepalive gate and scope `finish_body` byte cap
+ - Keep `_body_receiver` alive across the keepalive smuggling gate so
+ pipelined requests cannot re-enter a closed body
+ - Address parser/protocol findings from a six-point WSGI/ASGI audit
+
+- **PROXY Protocol (ASGI)**: Enforce `proxy_allow_ips` and tighten v1/v2
+ parsing in the ASGI callback parser.
+
+- **Connection Draining**: Drain the connection on close per RFC 9112
+ section 9.6 to prevent reset-on-close truncation.
+
+### Bug Fixes
+
+- **Body Framing on HEAD/204/304**:
+ - Keep `Content-Length` on HEAD and 304 responses
+ ([#3621](https://github.com/benoitc/gunicorn/pull/3621))
+ - Drop body framing on HEAD/204/304 even when the framework set it
+ - Warn once when an ASGI app emits a body for a no-body response
+
+- **HTTP/2 ASGI**:
+ - Fix `_handle_stream_ended` to set `_body_complete` in the async HTTP/2
+ handler so request bodies finalize correctly on stream end
+ - Add `InvalidChunkExtension` mapping and fast-parser support in ASGI
+ tests ([#3565](https://github.com/benoitc/gunicorn/pull/3565))
+
+- **HTTP/1.1 100-Continue**: Stop adding `Transfer-Encoding: chunked` to
+ 100-Continue interim responses.
+
+- **WebSocket Close Handshake** (RFC 6455):
+ - Comply with the close handshake state machine
+ - Close the transport after the close handshake completes
+ - Fix binary send when the `text` key is `None`
+
+- **Early Hints**: Validate headers in the `early_hints` callback to match
+ `process_headers`; pass only the header name to `InvalidHeader`
+ ([#3588](https://github.com/benoitc/gunicorn/pull/3588)).
+
+- **ASGI Framework Fixes**:
+ - Fix ASGI disconnect handling for Django-style apps
+ - Fix Litestar request handling (use raw ASGI receive for body/headers)
+ - Fix Litestar HTTP endpoints for compatibility tests
+ - Fix Quart headers endpoint to normalize keys to lowercase
+ - Fix Quart WebSocket close test app (missing `accept()`)
+ - Fix duplicate `Transfer-Encoding` header for BlackSheep streaming
+
+### Refactoring
+
+- Split `BodyReceiver._closed` into separate transport and body-wait flags
+ for clearer keepalive/EOF semantics.
+
+### Changes
+
+- **Fast HTTP Parser**: Require `gunicorn_h1c >= 0.6.5`. Drop the last
+ `python_only` test markers; the C extension is now used wherever
+ available (CPython only; PyPy continues to use the Python parser).
+
+- **Test Dependencies**: Add `h2` and `uvloop` to the `testing` extra;
+ remove `eventlet`.
+
+- **Docker Build**: Bump GitHub Actions `docker/setup-qemu-action`,
+ `docker/setup-buildx-action`, `docker/login-action`,
+ `docker/build-push-action`, and `docker/metadata-action` to current
+ major versions.
+
+---
+
## 25.3.0 - 2026-03-26
### Bug Fixes
diff --git a/docs/content/news.md b/docs/content/news.md
index e5ef7275..3be582b0 100644
--- a/docs/content/news.md
+++ b/docs/content/news.md
@@ -1,6 +1,101 @@
# Changelog
+## 26.0.0 - 2026-05-05
+
+### Breaking Changes
+
+- **Eventlet worker removed**: The `eventlet` worker class has been dropped.
+ Migrate to `gevent`, `gthread`, or `tornado`.
+
+### New Features
+
+- **ASGI Framework Compatibility Suite**: New end-to-end compatibility test
+ harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep.
+ Current grid passes 438/444 tests (98%).
+
+- **ASGI Test Suite Expansion**: 134 additional ASGI unit tests covering
+ protocol semantics, lifespan, websockets, and chunked framing.
+
+### Security
+
+- **HTTP/1.1 Request-Target Validation** (RFC 9112 sections 3.2.3, 3.2.4):
+ - Reject `authority-form` request-target outside `CONNECT`
+ - Reject `asterisk-form` request-target outside `OPTIONS`
+ - Reject `relative-reference` request-targets
+
+- **Header Field Hardening** (RFC 9110):
+ - Reject control characters in header field-value (section 5.5)
+ - Reject forbidden trailer field-names (section 6.5.1)
+ - Reject `Content-Length` list form (RFC 9112 section 6.3)
+
+- **Request Smuggling Hardening**:
+ - Tighten keepalive gate and scope `finish_body` byte cap
+ - Keep `_body_receiver` alive across the keepalive smuggling gate so
+ pipelined requests cannot re-enter a closed body
+ - Address parser/protocol findings from a six-point WSGI/ASGI audit
+
+- **PROXY Protocol (ASGI)**: Enforce `proxy_allow_ips` and tighten v1/v2
+ parsing in the ASGI callback parser.
+
+- **Connection Draining**: Drain the connection on close per RFC 9112
+ section 9.6 to prevent reset-on-close truncation.
+
+### Bug Fixes
+
+- **Body Framing on HEAD/204/304**:
+ - Keep `Content-Length` on HEAD and 304 responses
+ ([#3621](https://github.com/benoitc/gunicorn/pull/3621))
+ - Drop body framing on HEAD/204/304 even when the framework set it
+ - Warn once when an ASGI app emits a body for a no-body response
+
+- **HTTP/2 ASGI**:
+ - Fix `_handle_stream_ended` to set `_body_complete` in the async HTTP/2
+ handler so request bodies finalize correctly on stream end
+ - Add `InvalidChunkExtension` mapping and fast-parser support in ASGI
+ tests ([#3565](https://github.com/benoitc/gunicorn/pull/3565))
+
+- **HTTP/1.1 100-Continue**: Stop adding `Transfer-Encoding: chunked` to
+ 100-Continue interim responses.
+
+- **WebSocket Close Handshake** (RFC 6455):
+ - Comply with the close handshake state machine
+ - Close the transport after the close handshake completes
+ - Fix binary send when the `text` key is `None`
+
+- **Early Hints**: Validate headers in the `early_hints` callback to match
+ `process_headers`; pass only the header name to `InvalidHeader`
+ ([#3588](https://github.com/benoitc/gunicorn/pull/3588)).
+
+- **ASGI Framework Fixes**:
+ - Fix ASGI disconnect handling for Django-style apps
+ - Fix Litestar request handling (use raw ASGI receive for body/headers)
+ - Fix Litestar HTTP endpoints for compatibility tests
+ - Fix Quart headers endpoint to normalize keys to lowercase
+ - Fix Quart WebSocket close test app (missing `accept()`)
+ - Fix duplicate `Transfer-Encoding` header for BlackSheep streaming
+
+### Refactoring
+
+- Split `BodyReceiver._closed` into separate transport and body-wait flags
+ for clearer keepalive/EOF semantics.
+
+### Changes
+
+- **Fast HTTP Parser**: Require `gunicorn_h1c >= 0.6.5`. Drop the last
+ `python_only` test markers; the C extension is now used wherever
+ available (CPython only; PyPy continues to use the Python parser).
+
+- **Test Dependencies**: Add `h2` and `uvloop` to the `testing` extra;
+ remove `eventlet`.
+
+- **Docker Build**: Bump GitHub Actions `docker/setup-qemu-action`,
+ `docker/setup-buildx-action`, `docker/login-action`,
+ `docker/build-push-action`, and `docker/metadata-action` to current
+ major versions.
+
+---
+
## 25.3.0 - 2026-03-26
### Bug Fixes
diff --git a/gunicorn/__init__.py b/gunicorn/__init__.py
index 6009fecc..3a4cddaa 100644
--- a/gunicorn/__init__.py
+++ b/gunicorn/__init__.py
@@ -2,7 +2,7 @@
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.
-version_info = (25, 3, 0)
+version_info = (26, 0, 0)
__version__ = ".".join([str(v) for v in version_info])
SERVER = "gunicorn"
SERVER_SOFTWARE = "%s/%s" % (SERVER, __version__)