diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 175468340dfc..504d7b9f3183 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -53,6 +53,7 @@ Changelog
  * Populate django-treebeard cache during page routing to improve performance of `get_parent` (Nigel van Keulen)
  * Add a new user profile preference to configure user interface information density (Thibaud Colas)
  * Add additional field types to Elasticsearch mapping (scott-8)
+ * Fix: CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet` (Ben Morse, Joshua Munn, Jake Howard, Sage Abdullah)
  * Fix: Fix typo in `__str__` for MySQL search index (Jake Howard)
  * Fix: Ensure that unit tests correctly check for migrations in all core Wagtail apps (Matt Westcott)
  * Fix: Correctly handle `date` objects on `human_readable_date` template tag (Jhonatan Lopes)
diff --git a/docs/releases/6.1.md b/docs/releases/6.1.md
index fe2f3cdf48b3..e285c8eb9ea9 100644
--- a/docs/releases/6.1.md
+++ b/docs/releases/6.1.md
@@ -64,6 +64,13 @@ For sites managing favicons via the CMS, Wagtail now supports [`.ico` favicon ge
 
 This feature was developed by Jake Howard.
 
+### CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`
+
+This release addresses a permission vulnerability in the Wagtail admin interface. If a model has been made available for editing through the [`wagtail.contrib.settings`](/reference/contrib/settings) module or [ModelViewSet](modelviewset), and the permission argument on FieldPanel has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value.
+
+The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected.
+
+Many thanks to Ben Morse and Joshua Munn for reporting this issue, and Jake Howard and Sage Abdullah for the fix. For further details, please see [the CVE-2024-32882 security advisory](https://github.com/wagtail/wagtail/security/advisories/GHSA-w2v8-php4-p8hc).
 
 ### Other features