diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 6e9d8f3df..68153efdc 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1246,6 +1246,8 @@
  * If set, the X509 parser will not break-off when parsing an X509 certificate
  * and encountering an unknown critical extension.
  *
+ * \warning Depending on your PKI use, enabling this can be a security risk!
+ *
  * Uncomment to prevent an error.
  */
 //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION