diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5af3875..cf74e92 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 All notable changes to Tandem Browser will be documented in this file.
 
+## [v0.62.13] - 2026-03-17
+
+- fix: restrict sync root paths to user home directory (security)
+
 ## [v0.62.12] - 2026-03-17
 
 - fix: sanitize preview IDs to prevent path traversal and reflected XSS (security)
diff --git a/package-lock.json b/package-lock.json
index 0c2ccbe..c37144e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "tandem-browser",
-  "version": "0.62.12",
+  "version": "0.62.13",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "tandem-browser",
-      "version": "0.62.12",
+      "version": "0.62.13",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
diff --git a/package.json b/package.json
index 7041161..da84966 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "tandem-browser",
-  "version": "0.62.12",
+  "version": "0.62.13",
   "description": "First-party OpenClaw companion browser for human-AI collaboration with built-in security controls",
   "main": "dist/main.js",
   "author": "Tandem Browser contributors",
diff --git a/shell/about.html b/shell/about.html
index f9e3824..698b40c 100644
--- a/shell/about.html
+++ b/shell/about.html
@@ -114,7 +114,7 @@
   <div class="title"><span class="t">T</span><span class="rest">andem</span></div>
   <div class="subtitle">First-Party OpenClaw Companion Browser</div>
   <div class="status-badge">Developer Preview</div>
-  <div class="version" id="version">v0.62.12</div>
+  <div class="version" id="version">v0.62.13</div>
   <div class="info">
     Built specifically for human-AI collaboration with OpenClaw.<br>
     Maintained in the same ecosystem as OpenClaw, with security and local control built in.
diff --git a/src/utils/security.ts b/src/utils/security.ts
index 38ba95e..0d959a3 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -1,4 +1,5 @@
 import fs from 'fs';
+import os from 'os';
 import path from 'path';
 
 const HTML_ESCAPE_RE = /[&<>"']/g;
@@ -159,6 +160,7 @@ export function normalizeExistingDirectoryPath(value: string, label: string): st
   }
 
   const resolved = path.resolve(trimmed);
+  assertPathWithinRoot(os.homedir(), resolved);
   const stat = fs.statSync(resolved);
   if (!stat.isDirectory()) {
     throw new Error(`${label} must be a directory`);