diff --git a/security/ldap.rst b/security/ldap.rst
index 29b984b93d8..d2512428379 100644
--- a/security/ldap.rst
+++ b/security/ldap.rst
@@ -167,6 +167,13 @@ use the ``ldap`` user provider.
             ),
         );
 
+.. caution::
+
+    The Security component escapes values provided when binding against an LDAP
+    server (likewise for the user provider). However, the LDAP component does
+    not provide any other escaping, so it's your responsibility to prevent
+    the LDAP injection attacks.
+
 The ``ldap`` user provider supports many different configuration options:
 
 service