diff --git a/.changelog/_1238.txt b/.changelog/_1238.txt
new file mode 100644
index 000000000..79cb4b142
--- /dev/null
+++ b/.changelog/_1238.txt
@@ -0,0 +1,3 @@
+```release-note:security
+namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.
+```