diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8b974ae5ae05b07da2e56de557e55f9b78c3645..0ff65f2b46cb5f54858840bcb6f3a29a265cd7e7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,8 +32,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed ###
 
+* Denying a role permission has no effect
+  [#196](https://gitlab.com/caosdb/caosdb-server/-/issues/196). See security
+  notes below.
+
 ### Security ###
 
+* Fixed [#196](https://gitlab.com/caosdb/caosdb-server/-/issues/196). This was
+  an error in the authorization procedure which allowed unprivileged users
+  execute insert, update or delete transactions on entities. However, the
+  unprivileged users would also need the correct entity permissions to do that.
+
+  Without backup, this means possible data loss. Also there is the possibility
+  to spam the database by creating unwanted entities.
+
 ### Documentation ###
 
 - Nested queries.