diff --git a/CHANGELOG.md b/CHANGELOG.md
index 666ab15d53..1c874c67f1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,13 @@ This document contains a historical list of changes between releases. Only
 changes that impact end-user behavior are listed; changes to documentation or
 internal API changes are not present.
 
+v1.3.2
+-----------------
+
+### Security fixes
+
+- Add quotes to windows service path to prevent path interception attack. [CVE-2024-8975](https://grafana.com/security/security-advisories/cve-2024-8975/) (@mattdurham)
+
 v1.3.1
 -----------------
 
diff --git a/packaging/windows/install_script.nsis b/packaging/windows/install_script.nsis
index b51ff8c8d3..3f3a114d09 100644
--- a/packaging/windows/install_script.nsis
+++ b/packaging/windows/install_script.nsis
@@ -98,7 +98,7 @@ Section "install"
   Call InitializeRegistry
 
   # Create the service.
-  nsExec::ExecToLog 'sc create "Alloy" start= delayed-auto binpath= "$INSTDIR\alloy-service-windows-amd64.exe"'
+  nsExec::ExecToLog 'sc create "Alloy" start= delayed-auto binpath= "\"$INSTDIR\alloy-service-windows-amd64.exe\""'
   Pop $0
 
   # Start the service.
@@ -156,7 +156,7 @@ Function InitializeRegistry
   nsExec::ExecToLog 'Reg.exe query "${REGKEY}" /reg:64 /ve'
   Pop $0
   ${If} $0 == 1
-    nsExec::ExecToLog 'Reg.exe add "${REGKEY}" /reg:64 /ve /d "$INSTDIR\alloy-windows-amd64.exe"'
+    nsExec::ExecToLog 'Reg.exe add "${REGKEY}" /reg:64 /ve /d  "\"$INSTDIR\alloy-windows-amd64.exe\""'
     Pop $0 # Ignore return result
   ${EndIf}