diff --git a/.htaccess b/.htaccess
index ddd118c92..fe5e6fbc0 100644
--- a/.htaccess
+++ b/.htaccess
@@ -33,6 +33,8 @@ RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
 RewriteRule ^(?!installer|\.well-known\/|[a-zA-Z0-9]{16})(\.?[^\.]+)$ - [F]
 # - deny access to some locations
 RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+# - deny access to composer binaries
+RewriteRule ^/vendor\/bin\/.* - [F]
 # - deny access to some documentation files
 RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$ - [F]
 </IfModule>
diff --git a/CHANGELOG b/CHANGELOG
index c9b269550..ce734dfd9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -18,6 +18,7 @@ CHANGELOG Roundcube Webmail
 - Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
 - Fix regression where groups with email address were resolved to its members' addresses
 - Fix update of group name in the contacts list header on group rename (#5648)
+- Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
 
 RELEASE 1.2.3
 -------------