diff --git a/CHANGELOG.md b/CHANGELOG.md
index 072d02497..0e5c71fd9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 Changelog
 =========
 
+## 5.2.3
+
+- Fix any URI starting with bolt.backend_url is treated as restricted (macintoshplus, [#3504](https://github.com/bolt/core/issues/3504)
+
 ## 5.2.2
 
 Released: 2025-03-10
diff --git a/UPGRADE-5.2.md b/UPGRADE-5.2.md
new file mode 100644
index 000000000..3dba17e19
--- /dev/null
+++ b/UPGRADE-5.2.md
@@ -0,0 +1,14 @@
+# Upgrade to 5.2.3
+
+In file `config/packages/security.yaml` replace
+
+```yaml
+            - { path: '^%bolt.backend_url%', roles: IS_AUTHENTICATED_REMEMBERED }
+            - { path: '^/(%app_locales%)%bolt.backend_url%', roles: IS_AUTHENTICATED_REMEMBERED }
+```
+
+By
+```yaml
+            - { path: '^%bolt.backend_url%($|/)', roles: IS_AUTHENTICATED_REMEMBERED }
+            - { path: '^/(%app_locales%)%bolt.backend_url%($|/)', roles: IS_AUTHENTICATED_REMEMBERED }
+```
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 03d3ae112..0374a78b0 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -58,5 +58,5 @@ security:
         - { path: '^/(%app_locales%)%bolt.backend_url%/api', roles: ADMIN_API_ACCESS } # handled by voter
         - { path: '^%bolt.backend_url%/_trans', roles: ADMIN_TRANSLATE_ACCESS } # handled by voter
         - { path: '^/(%app_locales%)%bolt.backend_url%/_trans', roles: ADMIN_TRANSLATE_ACCESS } # handled by voter
-        - { path: '^%bolt.backend_url%', roles: IS_AUTHENTICATED_REMEMBERED }
-        - { path: '^/(%app_locales%)%bolt.backend_url%', roles: IS_AUTHENTICATED_REMEMBERED }
+        - { path: '^%bolt.backend_url%($|/)', roles: IS_AUTHENTICATED_REMEMBERED }
+        - { path: '^/(%app_locales%)%bolt.backend_url%($|/)', roles: IS_AUTHENTICATED_REMEMBERED }