diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca85fb0..35fa2a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.5] - 2025-11-23
+
+### Fixed
+- **SECRET_KEY empty string handling**: Fixed config.py to properly handle empty `FLASK_SECRET_KEY` environment variable
+  - `os.getenv()` returns empty string (not None) when env var is set to `""`
+  - Empty string now correctly falls back to SESSION_SECRET
+  - Prevents Flask session/flash failures when FLASK_SECRET_KEY="" in .env file
+
 ## [0.9.4] - 2025-11-22
 
 ### Fixed
diff --git a/starpunk/__init__.py b/starpunk/__init__.py
index d16fbb8..7eb4118 100644
--- a/starpunk/__init__.py
+++ b/starpunk/__init__.py
@@ -153,5 +153,5 @@ def create_app(config=None):
 
 # Package version (Semantic Versioning 2.0.0)
 # See docs/standards/versioning-strategy.md for details
-__version__ = "0.9.4"
-__version_info__ = (0, 9, 4)
+__version__ = "0.9.5"
+__version_info__ = (0, 9, 5)
diff --git a/starpunk/config.py b/starpunk/config.py
index a8293df..7d9c00d 100644
--- a/starpunk/config.py
+++ b/starpunk/config.py
@@ -44,9 +44,9 @@ def load_config(app, config_override=None):
         )
 
     # Flask secret key (uses SESSION_SECRET by default)
-    app.config["SECRET_KEY"] = os.getenv(
-        "FLASK_SECRET_KEY", app.config["SESSION_SECRET"]
-    )
+    # Note: We check for truthy value to handle empty string in .env
+    flask_secret = os.getenv("FLASK_SECRET_KEY")
+    app.config["SECRET_KEY"] = flask_secret if flask_secret else app.config["SESSION_SECRET"]
 
     # Data paths
     app.config["DATA_PATH"] = Path(os.getenv("DATA_PATH", "./data"))