diff --git a/docker/publish-docker-image.sh b/docker/publish-docker-image.sh
index 35eaf336..c2beb54f 100755
--- a/docker/publish-docker-image.sh
+++ b/docker/publish-docker-image.sh
@@ -87,6 +87,11 @@ check_requirements_pin() {
     echo "ERROR: requirements.txt must contain $expected_requirement"
     exit 1
   fi
+
+  if ! grep -qxE 'secureapp-python-agent==[^[:space:]]+' requirements-secureapp.txt; then
+    echo "ERROR: requirements-secureapp.txt must pin secureapp-python-agent with =="
+    exit 1
+  fi
 }
 
 build_docker_image() {
diff --git a/docker/requirements-secureapp.txt b/docker/requirements-secureapp.txt
index bd0af408..83776e8e 100644
--- a/docker/requirements-secureapp.txt
+++ b/docker/requirements-secureapp.txt
@@ -1,4 +1,4 @@
 -r requirements.txt
 
-# Keep this aligned with pyproject.toml's secureapp extra.
-secureapp-python-agent>=26.6.0
+# Pin SecureApp for reproducible release images; update intentionally after review.
+secureapp-python-agent==26.6.1
diff --git a/pyproject.toml b/pyproject.toml
index 7eb995b2..bfb70406 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -38,7 +38,7 @@ dependencies = [
 
 [project.optional-dependencies]
 secureapp = [
-  "secureapp-python-agent>=26.6.0",
+  "secureapp-python-agent>=26.6.1",
 ]
 
 [project.urls]