CHANGELOG-3.6: Add entries for v3.6.9

Signed-off-by: Ivan Valdes <ivan@vald.es>

Author: ivanvc

CHANGELOG/CHANGELOG-3.6.md

@@ -4,14 +4,20 @@ Previous change logs can be found at [CHANGELOG-3.5](https://github.com/etcd-io/
 
 ---
 
-## v3.6.9 (TBC)
+## v3.6.10 (TBC)
+
+---
+
+## v3.6.9 (2026-03-20)
 
 ### etcd server
 
 - [Ensure the metrics interceptor runs before other interceptors so that metrics remain up to date](https://github.com/etcd-io/etcd/pull/21329)
 - Fix [Race between read index and leader change](https://github.com/etcd-io/etcd/pull/21378)
 - Fix [Stale reads caused by process pausing](https://github.com/etcd-io/etcd/pull/21417)
 - Revert [Reuse events between sync loops](https://github.com/etcd-io/etcd/pull/21443)
+- Guard unauthenticated endpoints with auth checks to fix [Authorization bypasses in multiple APIs (CVE-2026-33413)](https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg)
+- Enforce auth checks for nested txn ops to fix [Nested etcd transactions bypass RBAC authorization checks (CVE-2026-33343)](https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q)
 
 ### Package `clientv3`
 
@@ -28,8 +34,9 @@ Previous change logs can be found at [CHANGELOG-3.5](https://github.com/etcd-io/
 ### Dependencies
 
 - [Bump go.opentelemetry.io/otel/sdk to v1.40.0 to resolve https://pkg.go.dev/vuln/GO-2026-4394](https://github.com/etcd-io/etcd/pull/21340)
-- Compile binaries using [go 1.25.7](https://github.com/etcd-io/etcd/pull/21393)
+- Compile binaries using [go 1.25.8](https://github.com/etcd-io/etcd/pull/21463)
 - [Bump golang.org/x/net to v0.51.0 to resolve GO-2026-4559](https://github.com/etcd-io/etcd/pull/21440)
+- [Bump google.golang.org/grpc to 1.79.3 to resolve CVE-2026-33186](https://github.com/etcd-io/etcd/pull/21501)
 
 ---