diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 42a7791357..c4fae12a59 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -36,6 +36,8 @@ Fixed
 
 * Fix KV value lookup in actions when RBAC is enabled #5934
 
+* Update version 3.1.15 of ``gitpython`` to 3.1.18 for py3.6 and to 3.1.37 for py3.8 (security). #6063
+
 Added
 ~~~~~
 * Move `git clone` to `user_home/.st2packs` #5845
diff --git a/fixed-requirements.txt b/fixed-requirements.txt
index c1a14fbcba..915e16b599 100644
--- a/fixed-requirements.txt
+++ b/fixed-requirements.txt
@@ -12,7 +12,9 @@ cryptography==39.0.1
 # depend on rely
 eventlet==0.33.3
 flex==6.14.1
-gitpython==3.1.15
+# Note: installs gitpython==3.1.37 (security fixed) under py3.8 and gitpython==3.1.18 (latest available, vulnerable) under py3.6
+# TODO: Pin to 3.1.37 or higher after dropping python3.6 support
+gitpython<=3.1.37
 # Needed by gitpython, old versions used to bundle it
 gitdb==4.0.2
 # Note: greenlet is used by eventlet
diff --git a/requirements.txt b/requirements.txt
index 638faf38f0..5183347a27 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -20,7 +20,7 @@ dnspython>=1.16.0,<2.0.0
 eventlet==0.33.3
 flex==6.14.1
 gitdb==4.0.2
-gitpython==3.1.15
+gitpython<=3.1.37
 greenlet==1.0.0
 gunicorn==21.2.0
 importlib-metadata==3.10.1
diff --git a/st2actions/requirements.txt b/st2actions/requirements.txt
index e15c7c967e..bdfe4e8b1c 100644
--- a/st2actions/requirements.txt
+++ b/st2actions/requirements.txt
@@ -9,7 +9,7 @@ MarkupSafe<2.1.0,>=0.23
 apscheduler==3.7.0
 chardet<3.1.0
 eventlet==0.33.3
-gitpython==3.1.15
+gitpython<=3.1.37
 jinja2==2.11.3
 kombu==5.0.2
 lockfile==0.12.2
diff --git a/st2common/requirements.txt b/st2common/requirements.txt
index ab7614ebbd..575b251177 100644
--- a/st2common/requirements.txt
+++ b/st2common/requirements.txt
@@ -17,7 +17,7 @@ dnspython>=1.16.0,<2.0.0
 eventlet==0.33.3
 flex==6.14.1
 gitdb==4.0.2
-gitpython==3.1.15
+gitpython<=3.1.37
 greenlet==1.0.0
 jinja2==2.11.3
 jsonpath-rw==1.4.0