diff --git a/CHANGELOG.md b/CHANGELOG.md
index d6cdaa6a5..adc76c767 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Security
 
 - Admin API: Fixed self-revocation vulnerability where admins could accidentally revoke their own admin status via the single-user permission endpoint
+- Fix bypass of the restrict unauthenticated setting by requesting local Activities
 
 ### Changed
 
@@ -104,6 +105,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - ObjectView: Do not leak unsanitized internal representation of non-Create/non-Undo Activities on fetches
 - Fix WebFinger for split-domain setups
 - Enforce an exact domain match for WebFinger resolution
+- MastodonAPI: Fix misattribution of statuses when fetched via non-Announce Activity ID
 
 ## 2.9.1
 
diff --git a/changelog.d/mastoapi-misatrribution.fix b/changelog.d/mastoapi-misatrribution.fix
deleted file mode 100644
index ba744c62b..000000000
--- a/changelog.d/mastoapi-misatrribution.fix
+++ /dev/null
@@ -1 +0,0 @@
-MastodonAPI: Fix misattribution of statuses when fetched via non-Announce Activity ID
diff --git a/changelog.d/restrict-unauthenticated-bypass.fix b/changelog.d/restrict-unauthenticated-bypass.fix
deleted file mode 100644
index 974fa6df9..000000000
--- a/changelog.d/restrict-unauthenticated-bypass.fix
+++ /dev/null
@@ -1 +0,0 @@
-Fix bypass of the restrict unauthenticated setting by requesting local Activities