diff --git a/docs/changes.rst b/docs/changes.rst
index 40cad01b6..b0c1b6f35 100644
--- a/docs/changes.rst
+++ b/docs/changes.rst
@@ -1318,6 +1318,9 @@ Compatibility notes:
 
   - read all the compatibility notes for 1.1.0*, starting from 1.1.0b1.
   - borg upgrade: you do not need to and you also should not run it.
+    There is one exception though:
+    If you upgrade from an unpatched borg < 1.0.9, please read that section
+    above: "Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099)"
   - borg might ask some security-related questions once after upgrading.
     You can answer them either manually or via environment variable.
     One known case is if you use unencrypted repositories, then it will ask
@@ -1465,6 +1468,9 @@ Compatibility notes:
 
   - read all the compatibility notes for 1.1.0*, starting from 1.1.0b1.
   - borg upgrade: you do not need to and you also should not run it.
+    There is one exception though:
+    If you upgrade from an unpatched borg < 1.0.9, please read that section
+    above: "Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099)"
   - borg might ask some security-related questions once after upgrading.
     You can answer them either manually or via environment variable.
     One known case is if you use unencrypted repositories, then it will ask
@@ -1735,6 +1741,9 @@ Compatibility notes:
 
   - read all the compatibility notes for 1.1.0*, starting from 1.1.0b1.
   - borg upgrade: you do not need to and you also should not run it.
+    There is one exception though:
+    If you upgrade from an unpatched borg < 1.0.9, please read that section
+    above: "Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099)"
   - borg might ask some security-related questions once after upgrading.
     You can answer them either manually or via environment variable.
     One known case is if you use unencrypted repositories, then it will ask
@@ -1807,6 +1816,9 @@ Compatibility notes:
 
   - read all the compatibility notes for 1.1.0*, starting from 1.1.0b1.
   - borg upgrade: you do not need to and you also should not run it.
+    There is one exception though:
+    If you upgrade from an unpatched borg < 1.0.9, please read that section
+    above: "Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099)"
   - borg might ask some security-related questions once after upgrading.
     You can answer them either manually or via environment variable.
     One known case is if you use unencrypted repositories, then it will ask
@@ -1990,6 +2002,9 @@ Compatibility notes:
 
   - read all the compatibility notes for 1.1.0*, starting from 1.1.0b1.
   - borg upgrade: you do not need to and you also should not run it.
+    There is one exception though:
+    If you upgrade from an unpatched borg < 1.0.9, please read that section
+    above: "Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099)"
   - borg might ask some security-related questions once after upgrading.
     You can answer them either manually or via environment variable.
     One known case is if you use unencrypted repositories, then it will ask
@@ -2283,6 +2298,9 @@ Compatibility notes:
 
   - read all the compatibility notes for 1.1.0*, starting from 1.1.0b1.
   - borg upgrade: you do not need to and you also should not run it.
+    There is one exception though:
+    If you upgrade from an unpatched borg < 1.0.9, please read that section
+    above: "Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099)"
   - borg might ask some security-related questions once after upgrading.
     You can answer them either manually or via environment variable.
     One known case is if you use unencrypted repositories, then it will ask