diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index aed11ae356f8f25e1b616182fbd2eaf6c4fd6a5b..e186961764ed8497e08103c0a2760d2fcd3b9bdf 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -29,15 +29,15 @@ Fixed
 * The menu button used to be displayed twice on smaller screens.
 * The icons were loaded from external servers instead from local server.
 * Weekdays were not translated if system locales were missing
-  
+
   * Added locales-all to base image and note to docs
 
 * The icons in the account menu were still the old ones.
 * Due to a merge error, the once removed account menu in the sidenav appeared again.
 * Scheduled notifications were shown on dashboard before time.
 * Remove broken notifications menu item in favor of item next to account menu.
-* [OAuth2] Resources which are protected with client credentials 
-  allowed access if no scopes were allowed.
+* [OAuth2] Resources which are protected with client credentials
+  allowed access if no scopes were allowed (CVE-2022-29773).
 * The site logo could overlap with the menu for logos with an unexpected aspect ratio.
 * Some OAuth2 views stopped working with long scope names.
 * Resetting password was impossible due to a missing rule