diff --git a/CHANGELOG.md b/CHANGELOG.md
index 062da02..03c1756 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Hermes Web UI -- Changelog
 
+## [v0.50.76] — 2026-04-17
+
+### Fixed
+- **CSP blocked external images in chat** — `img-src` in the Content Security Policy was restricted to `'self'` and `data:`, causing the browser to block any external image URLs (e.g. from Wikipedia, GitHub, or other HTTPS sources) that the agent rendered in a response. Expanded to `img-src 'self' data: https: blob:` so external images load correctly. (Closes #608)
+
 ## [v0.50.75] — 2026-04-17
 
 ### Fixed
diff --git a/api/helpers.py b/api/helpers.py
index 92c024c..95c7a0e 100644
--- a/api/helpers.py
+++ b/api/helpers.py
@@ -45,7 +45,7 @@ def _security_headers(handler):
         "default-src 'self'; "
         "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
         "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
-        "img-src 'self' data:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; "
+        "img-src 'self' data: https: blob:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; "
         "base-uri 'self'; form-action 'self'"
     )
     handler.send_header(
diff --git a/static/index.html b/static/index.html
index 9e378c3..21bc73c 100644
--- a/static/index.html
+++ b/static/index.html
@@ -561,7 +561,7 @@
                 <div class="settings-section-title">System</div>
                 <div class="settings-section-meta">Instance version and access controls.</div>
               </div>
-              <span class="settings-version-badge">v0.50.75</span>
+              <span class="settings-version-badge">v0.50.76</span>
             </div>
             <div class="settings-field" style="border-top:1px solid var(--border);padding-top:12px;margin-top:8px">
               <label for="settingsPassword" data-i18n="settings_label_password">Access Password</label>