diff --git a/nixos/doc/manual/release-notes/rl-2611.section.md b/nixos/doc/manual/release-notes/rl-2611.section.md
index 8397e17792cf..bb2058d6b4ac 100644
--- a/nixos/doc/manual/release-notes/rl-2611.section.md
+++ b/nixos/doc/manual/release-notes/rl-2611.section.md
@@ -26,4 +26,4 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- Create the first release note entry in this section!
+- The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`.
diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index d179283ac559..3c53531d90f7 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -267,13 +267,22 @@ in
             group = "root";
             inherit source;
           };
+          mkCapRoot = capabilities: source: {
+            inherit capabilities source;
+            owner = "root";
+            group = "root";
+          };
         in
         {
           su = mkSetuidRoot "${config.security.shadow.su.package}/bin/su";
           sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
           newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
-          newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
-          newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
+          # File capabilities instead of setuid root, mirroring shadow's
+          # own --with-fcaps install mode and what Arch/Fedora/Debian ship.
+          # The kernel only requires CAP_SETUID/CAP_SETGID over the parent
+          # userns to write a multi-line /proc/<pid>/[ug]id_map.
+          newuidmap = mkCapRoot "cap_setuid+ep" "${cfg.package.out}/bin/newuidmap";
+          newgidmap = mkCapRoot "cap_setgid+ep" "${cfg.package.out}/bin/newgidmap";
         }
         // lib.optionalAttrs config.users.mutableUsers {
           chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";