diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index efc47527fa..578d5fcb5e 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,7 +6,7 @@ in development
 
 Fixed
 ~~~~~
-* ‎Fix Snyk Security Finding Cross-site Scripting (XSS) in contrib/examples/sensors/echo_flask_app.py
+* Fix Snyk Security Finding Cross-site Scripting (XSS) in contrib/examples/sensors/echo_flask_app.py
   Contributed by (@philipphomberger Schwarz IT KG)
 
 * Additional fixes for st2 client auth when proxy auth mode enabled #6049
@@ -41,6 +41,9 @@ Fixed
 
 * Update version 3.1.15 of ``gitpython`` to 3.1.18 for py3.6 and to 3.1.37 for py3.8 (security). #6063
 
+* Update importlib-metadata from 3.10.1 to 4.8.3 for py3.6 and to 4.10.1 for py3.8 (security). #6072
+  Contributed by @jk464
+
 Added
 ~~~~~
 * Move `git clone` to `user_home/.st2packs` #5845
diff --git a/fixed-requirements.txt b/fixed-requirements.txt
index 915e16b599..21f93c6f91 100644
--- a/fixed-requirements.txt
+++ b/fixed-requirements.txt
@@ -60,9 +60,12 @@ routes==2.4.1
 semver==2.13.0
 six==1.13.0
 argparse==1.12.2
-argcomplete==1.12.2
+# Note: argcomplete 1.12.3 supports importlib-metadata<5
+argcomplete==1.12.3
 prettytable==2.1.0
-importlib-metadata==3.10.1
+# Note: installs importlib-metadata==4.10.1 (security fixed) under py3.8 and importlib-metadata==4.8.3 (latest available, vulnerable) under py3.6
+# TODO: Pin to 4.10.1 or higher after dropping python3.6 support
+importlib-metadata>=4.8.3,<=4.10.1
 # importlib-metadata requires typing-extensions but v4.2.0 requires py3.7+
 typing-extensions<4.2
 # NOTE: sseclient has various issues which sometimes hang the connection for a long time, etc.
diff --git a/requirements.txt b/requirements.txt
index 5183347a27..b0b44eda39 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,7 +9,7 @@ MarkupSafe<2.1.0,>=0.23
 RandomWords
 amqp==5.0.6
 apscheduler==3.7.0
-argcomplete==1.12.2
+argcomplete==1.12.3
 bcrypt==3.2.0
 cffi<1.15.0
 chardet<3.1.0
@@ -23,7 +23,7 @@ gitdb==4.0.2
 gitpython<=3.1.37
 greenlet==1.0.0
 gunicorn==21.2.0
-importlib-metadata==3.10.1
+importlib-metadata>=4.8.3,<=4.10.1
 jinja2==2.11.3
 jsonpath-rw==1.4.0
 jsonschema==2.6.0
diff --git a/st2client/requirements.txt b/st2client/requirements.txt
index a99071ba7f..e4656b91d8 100644
--- a/st2client/requirements.txt
+++ b/st2client/requirements.txt
@@ -5,11 +5,11 @@
 # If you want to update depdencies for a single component, modify the
 # in-requirements.txt for that component and then run 'make requirements' to
 # update the component requirements.txt
-argcomplete==1.12.2
+argcomplete==1.12.3
 cffi<1.15.0
 chardet<3.1.0
 cryptography==39.0.1
-importlib-metadata==3.10.1
+importlib-metadata>=4.8.3,<=4.10.1
 jsonpath-rw==1.4.0
 jsonschema==2.6.0
 orjson==3.5.2