diff --git a/.github/workflows/maven-cd.yml b/.github/workflows/maven-cd.yml
index ec435f6..37b2483 100644
--- a/.github/workflows/maven-cd.yml
+++ b/.github/workflows/maven-cd.yml
@@ -43,6 +43,14 @@ jobs:
               with:
                   fetch-depth: 0
 
+            - name: Verify tag commit is reachable from master
+              run: |
+                  if ! git merge-base --is-ancestor "${{ github.sha }}" origin/master; then
+                    echo "❌ Tag commit ${{ github.sha }} is not reachable from origin/master"
+                    exit 1
+                  fi
+                  echo "✅ Tag commit ${{ github.sha }} is reachable from origin/master"
+
             - name: Extract and validate tag components
               id: tag
               run: |
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d9e0783..05cb178 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -55,6 +55,9 @@ Release names follow the **historic football clubs** naming convention (A–Z):
   in-memory with `ddl.sql`/`dml.sql`; switch `spring.jpa.hibernate.ddl-auto`
   from `none` to `validate` so Hibernate verifies entity mappings against the
   Flyway-managed schema (#130)
+- Add runtime verification step to the CD workflow that checks whether the tag
+  commit is reachable from `origin/master` before proceeding with build and
+  publish steps, preventing accidental releases from unmerged branches (#292)
 
 ### Changed