diff --git a/python-urllib3.changes b/python-urllib3.changes
index 1a6c0d6..10d1280 100644
--- a/python-urllib3.changes
+++ b/python-urllib3.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Jan 13 09:40:54 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 2.6.3
+  * Fixed a high-severity security issue where decompression-bomb safeguards of
+    the streaming API were bypassed when HTTP redirects were followed.
+    (GHSA-38jv-5279-wg99) (bsc#1256331, CVE-2026-21441)
+  * Started treating ``Retry-After`` times greater than 6 hours as 6 hours by
+    default. (#3743)
+  * Fixed ``urllib3.connection.VerifiedHTTPSConnection`` on Emscripten. (#3752)
+
 -------------------------------------------------------------------
 Wed Jan  7 09:49:28 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
 
diff --git a/python-urllib3.spec b/python-urllib3.spec
index a95572e..7e56d8e 100644
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -26,7 +26,7 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-urllib3%{psuffix}
-Version:        2.6.2
+Version:        2.6.3
 Release:        0
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 License:        MIT
diff --git a/urllib3-2.6.2.tar.gz b/urllib3-2.6.2.tar.gz
deleted file mode 100644
index 238142a..0000000
--- a/urllib3-2.6.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797
-size 432930
diff --git a/urllib3-2.6.3.tar.gz b/urllib3-2.6.3.tar.gz
new file mode 100644
index 0000000..cb66d5b
--- /dev/null
+++ b/urllib3-2.6.3.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed
+size 435556