diff --git a/.cargo/audit.toml b/.cargo/audit.toml
index 6d7bfff..3d57d75 100644
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -15,4 +15,9 @@ ignore = [
     # `rsa` Marvin Attack; transitive dep via `sqlx-macros-core` -> `sqlx-mysql`. The `mysql`
     # feature is not enabled, so `sqlx-mysql` is never compiled — it only appears in Cargo.lock.
     "RUSTSEC-2023-0071",
+
+    # `rand` 0.8.5 unsoundness when `log` + `thread_rng` features are both enabled and a custom
+    # logger calls `rand::rng()` during reseeding. Our 0.8.5 (transitive via alloy-consensus)
+    # has neither feature enabled; our 0.9.4 is already patched.
+    "RUSTSEC-2026-0097",
 ]