diff --git a/releasenotes/notes/fix-broken-trusted-config-updates-b68948bdbead17b2.yaml b/releasenotes/notes/fix-broken-trusted-config-updates-b68948bdbead17b2.yaml
new file mode 100644
index 0000000000..e4c89f0ad0
--- /dev/null
+++ b/releasenotes/notes/fix-broken-trusted-config-updates-b68948bdbead17b2.yaml
@@ -0,0 +1,10 @@
+---
+security:
+  - |
+    Fixed a bug where config (trusted) layout updates could be used
+    pre-merge as a dynamically loaded layout. This could happen if Zuul
+    was running with config errors that originated from outside of
+    the config (trusted) repo. A logic error allowed code to fall
+    through and return the trusted layout in this case.
+
+    Users should upgrade.