diff --git a/docs/whats-new/release-notes/v2_18_2.md b/docs/whats-new/release-notes/v2_18_2.md
index 9ebd5ef075..9d70834ee1 100644
--- a/docs/whats-new/release-notes/v2_18_2.md
+++ b/docs/whats-new/release-notes/v2_18_2.md
@@ -12,6 +12,8 @@ Zowe Version 2.18.2 contains the enhancements that are described in the followin
 
 ### Zowe API Mediation Layer
 
+- The configuration property **`apiml.security.forwardHeader.trustedProxies`** has been added to specify the regular expression pattern used to identify trusted proxies from which `X-Forwarded-*` headers are accepted and forwarded. This mitigates CVE-2025-41235. ([#4148](https://github.com/zowe/api-layer/pull/4148))
+* Feature:  Add Java sample app to authenticate client certificate. (#4009) ([0808c65](https://github.com/zowe/api-layer/commit/0808c65)), closes [#4009](https://github.com/zowe/api-layer/issues/4009)
 - A Java sample app has been added to assist users to authenticate client certificates. ([#4009](https://github.com/zowe/api-layer/issues/4009))
 - Users can now configure the connect and read timeout for Eureka HTTP client. ([#4046](https://github.com/zowe/api-layer/issues/4046))
 - Java 21 is now supported. ([#4027](https://github.com/zowe/api-layer/issues/4027))
@@ -22,6 +24,7 @@ Zowe Version 2.18.2 contains the bug fixes that are described in the following t
 
 ### Zowe API Mediation Layer
 
+- Fixed a resource leak in the http client, whereby all objects are now closed after use. ([#4153](https://github.com/zowe/api-layer/pull/4153))
 - Added HSTS header when AT-TLS enabled for V2. ([#4071](https://github.com/zowe/api-layer/issues/4071))
 - Changed error code SERVICE_UNAVAILABLE to INTERNAL_SERVER_ERROR when ticket generation fails. ([#4043](https://github.com/zowe/api-layer/issues/4043))