From 73ee2cb3e26df3605e6c2b3be5a5c2ca12524428 Mon Sep 17 00:00:00 2001
From: Pedro Igor <pigor.craveiro@gmail.com>
Date: Mon, 22 Sep 2025 18:15:46 -0300
Subject: [PATCH] Update upgrade guide about changes in how the  parameter is
 propagated to OPs

Closes #42139

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
---
 .../upgrading/topics/changes/changes-26_4_0.adoc          | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc b/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc
index 1e985e01c57..0846d985918 100644
--- a/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc
+++ b/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc
@@ -4,6 +4,14 @@
 Breaking changes are identified as those that might require changes for existing users to their configurations or applications.
 In minor or patch releases, {project_name} will only introduce breaking changes to fix bugs.
 
+=== `acr_values` request parameter is not forwarded automatically to identity providers
+
+The `acr_values` request parameter is no longer automatically forwarded to OpenID Connect identity providers during authentication.
+This change enhances security by preventing unintended disclosure of authentication context information to external IDPs.
+
+If you are relying on the `acr_values` parameter to be propagated to an identity provider, you must now explicitly set `acr_values` request parameter
+to the `Forwarded query parameters` setting in the identity provider configuration.
+
 // ------------------------ Notable changes ------------------------ //
 == Notable changes