diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
index e266007f1c2ef1604a965b655ed789b0e62e286a..a02955c01c2734645230d20810babaaff0d512b3 100644
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -14,6 +14,8 @@ Released 2019-11-19
   * Fixed an issue with web server aliases or rewritten URLs not working (#1023, #1093).
   * Fixed an issue that prevented errors to be logged if the log file was not writeable (#1194).
   * Fixed an issue with old-style NameIDPolicy configurations that disallowed creating new NameIDs (#1230).
+  * Resolved a security issue that exposed host information to unauthenticated users. See
+    [SSPSA 201911-02](https://simplesamlphp.org/security/201911-02).
   * Replaced custom Email class with the phpmailer library.
   * Allow logging to STDERR in the `logging.handler` option by setting it to `stderr`.
   * Allow use of stream wrappers (e.g. s3://) in paths.