diff --git a/debian/changelog b/debian/changelog
index 7490db757..031403830 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ikiwiki (3.20161220) UNRELEASED; urgency=medium
+
+  * Add CVE references for CVE-2016-10026
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 21 Dec 2016 13:03:07 +0000
+
 ikiwiki (3.20161219) unstable; urgency=medium
 
   [ Joey Hess ]
@@ -8,7 +14,7 @@ ikiwiki (3.20161219) unstable; urgency=medium
   * Security: tell `git revert` not to follow renames. If it does, then
     renaming a file can result in a revert writing outside the wiki srcdir
     or altering a file that the reverting user should not be able to alter,
-    an authorization bypass. Thanks, intrigeri
+    an authorization bypass. Thanks, intrigeri. (CVE-2016-10026)
   * cgitemplate: remove some dead code. Thanks, blipvert
   * Restrict CSS matches against header class to not break
     Pandoc tables with header rows. Thanks, karsk
diff --git a/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn b/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
index f21decec6..e7f3c6925 100644
--- a/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
+++ b/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
@@ -24,6 +24,9 @@ when reverting.
 > I tried to do something more clever (doing the revert, and checking
 > whether it made changes that aren't allowed) but couldn't get it to
 > work in a reasonable time, so I'm going with the simpler fix.
-> [[Fix committed|done]], a release will follow later today. --[[smcv]]
+> [[Fix committed|done]], a release will follow later today.
+>
+> [[!cve CVE-2016-10026]] has been assigned to this vulnerability.
+> --[[smcv]]
 
 >> You rock, thanks a lot! --[[intrigeri]]
diff --git a/doc/news/version_3.20161219.mdwn b/doc/news/version_3.20161219.mdwn
index 3b64cb8a8..b03900972 100644
--- a/doc/news/version_3.20161219.mdwn
+++ b/doc/news/version_3.20161219.mdwn
@@ -7,8 +7,8 @@ ikiwiki 3.20161219 released with [[!toggle text="these changes"]]
    * Security: tell `git revert` not to follow renames. If it does, then
      renaming a file can result in a revert writing outside the wiki srcdir
      or altering a file that the reverting user should not be able to alter,
-     an authorization bypass. Thanks, intrigeri
+     an authorization bypass. Thanks, intrigeri. ([[!cve CVE-2016-10026]])
    * cgitemplate: remove some dead code. Thanks, blipvert
    * Restrict CSS matches against header class to not break
      Pandoc tables with header rows. Thanks, karsk
-   * Make pagestats output more deterministic. Thanks, intrigeri"""]]
\ No newline at end of file
+   * Make pagestats output more deterministic. Thanks, intrigeri"""]]
diff --git a/doc/security.mdwn b/doc/security.mdwn
index a5db9b410..4f825deba 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -562,4 +562,4 @@ This affects sites with the `git` VCS and the `recentchanges` plugin,
 which are both used in most ikiwiki installations.
 
 This bug was reported on 2016-12-17. The fixed version 3.20161219
-was released on 2016-12-19.
+was released on 2016-12-19. ([[!cve CVE-2016-10026]])