diff --git a/UPGRADING b/UPGRADING
index 7944087c437..2e8d358075f 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -151,6 +151,11 @@ Reflection:
   . Reflection export to string now uses `int` and `bool` instead of `integer`
     and `boolean`.
 
+- SAPI:
+  . Starting with 7.3.24, incoming cookie names are not url-decoded. This was never 
+    required by the standard, outgoing cookie names aren't encoded and this leads 
+    to security issues (CVE-2020-7070).
+
 SPL:
   . If an SPL autoloader throws an exception, following autoloaders will not be
     executed. Previously all autoloaders were executed and exceptions were