diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5662d464e..c8506f1ef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - when generating an avoir, the option "by_wallet" is not present anymore if wallet module is off
 - Fix a bug: edge case of birthday in the future in seeds.rb, we should use Date.current instead of DateTime.current since birthday is a date (see https://github.com/sleede/fab-manager/issues/344)
 - Fix a security issue: updated ruby to 2.6.10 to fix [CVE-2022-28739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28739)
+- Fix a security issue: updated rails to 5.2.7.1 to fix [CVE-2022-22577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577) and [CVE-2022-27777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777)
 
 ## v5.3.13 2022 May 02
 
diff --git a/Gemfile b/Gemfile
index 729a49fcc..1aaa0227f 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,7 +3,7 @@
 source 'https://rubygems.org'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 5.2.4'
+gem 'rails', '~> 5.2.7'
 # Used by rails 5.2 to reduce the app boot time by over 50%
 gem 'bootsnap'
 # Use Puma as web server
diff --git a/Gemfile.lock b/Gemfile.lock
index 0b72d00e4..47fff1113 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -4,46 +4,46 @@ GEM
     Ascii85 (1.0.3)
     aasm (5.0.8)
       concurrent-ruby (~> 1.0)
-    actioncable (5.2.6.3)
-      actionpack (= 5.2.6.3)
+    actioncable (5.2.7.1)
+      actionpack (= 5.2.7.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.6.3)
-      actionpack (= 5.2.6.3)
-      actionview (= 5.2.6.3)
-      activejob (= 5.2.6.3)
+    actionmailer (5.2.7.1)
+      actionpack (= 5.2.7.1)
+      actionview (= 5.2.7.1)
+      activejob (= 5.2.7.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.6.3)
-      actionview (= 5.2.6.3)
-      activesupport (= 5.2.6.3)
+    actionpack (5.2.7.1)
+      actionview (= 5.2.7.1)
+      activesupport (= 5.2.7.1)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
     actionpack-page_caching (1.2.2)
       actionpack (>= 5.0.0)
-    actionview (5.2.6.3)
-      activesupport (= 5.2.6.3)
+    actionview (5.2.7.1)
+      activesupport (= 5.2.7.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
     active_record_query_trace (1.7)
-    activejob (5.2.6.3)
-      activesupport (= 5.2.6.3)
+    activejob (5.2.7.1)
+      activesupport (= 5.2.7.1)
       globalid (>= 0.3.6)
-    activemodel (5.2.6.3)
-      activesupport (= 5.2.6.3)
-    activerecord (5.2.6.3)
-      activemodel (= 5.2.6.3)
-      activesupport (= 5.2.6.3)
+    activemodel (5.2.7.1)
+      activesupport (= 5.2.7.1)
+    activerecord (5.2.7.1)
+      activemodel (= 5.2.7.1)
+      activesupport (= 5.2.7.1)
       arel (>= 9.0)
-    activestorage (5.2.6.3)
-      actionpack (= 5.2.6.3)
-      activerecord (= 5.2.6.3)
+    activestorage (5.2.7.1)
+      actionpack (= 5.2.7.1)
+      activerecord (= 5.2.7.1)
       marcel (~> 1.0.0)
-    activesupport (5.2.6.3)
+    activesupport (5.2.7.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -94,7 +94,7 @@ GEM
     cldr-plurals-runtime-rb (1.0.1)
     coercible (1.0.0)
       descendants_tracker (~> 0.0.1)
-    concurrent-ruby (1.1.9)
+    concurrent-ruby (1.1.10)
     connection_pool (2.2.5)
     coveralls_reborn (0.18.0)
       simplecov (>= 0.18.1, < 0.20.0)
@@ -197,7 +197,7 @@ GEM
     listen (3.0.8)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
-    loofah (2.14.0)
+    loofah (2.17.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -285,18 +285,18 @@ GEM
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     railroady (1.5.3)
-    rails (5.2.6.3)
-      actioncable (= 5.2.6.3)
-      actionmailer (= 5.2.6.3)
-      actionpack (= 5.2.6.3)
-      actionview (= 5.2.6.3)
-      activejob (= 5.2.6.3)
-      activemodel (= 5.2.6.3)
-      activerecord (= 5.2.6.3)
-      activestorage (= 5.2.6.3)
-      activesupport (= 5.2.6.3)
+    rails (5.2.7.1)
+      actioncable (= 5.2.7.1)
+      actionmailer (= 5.2.7.1)
+      actionpack (= 5.2.7.1)
+      actionview (= 5.2.7.1)
+      activejob (= 5.2.7.1)
+      activemodel (= 5.2.7.1)
+      activerecord (= 5.2.7.1)
+      activestorage (= 5.2.7.1)
+      activesupport (= 5.2.7.1)
       bundler (>= 1.3.0)
-      railties (= 5.2.6.3)
+      railties (= 5.2.7.1)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
@@ -310,9 +310,9 @@ GEM
       rails_stdout_logging
     rails_serve_static_assets (0.0.5)
     rails_stdout_logging (0.0.5)
-    railties (5.2.6.3)
-      actionpack (= 5.2.6.3)
-      activesupport (= 5.2.6.3)
+    railties (5.2.7.1)
+      actionpack (= 5.2.7.1)
+      activesupport (= 5.2.7.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
@@ -401,7 +401,7 @@ GEM
       ffi
     term-ansicolor (1.7.1)
       tins (~> 1.0)
-    thor (0.20.3)
+    thor (1.2.1)
     thread_safe (0.3.6)
     thwait (0.2.0)
       e2mmap
@@ -492,7 +492,7 @@ DEPENDENCIES
   puma (= 4.3.12)
   pundit
   railroady
-  rails (~> 5.2.4)
+  rails (~> 5.2.7)
   rails-observers
   rails_12factor
   rb-readline
@@ -520,4 +520,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   2.2.21
+   2.3.13