diff --git a/source/administration/security.txt b/source/administration/security.txt
index 642d6888950..6a41af648d0 100644
--- a/source/administration/security.txt
+++ b/source/administration/security.txt
@@ -277,9 +277,11 @@ authentication system:
      db.system.users.find()
 
 - The ``admin`` database is unique. Users with *normal* access to the
-  ``admin`` database have read and write access to all
-  databases. Users with *read only* access to the ``admin`` database
-  have read only access to all databases.
+  ``admin`` database have read and write access to all databases. Users
+  with *read only* access to the ``admin`` database have read only
+  access to all databases, with the exception of the ``system.users``
+  collection, which is protected to prevent privilege escalation
+  attacks.
 
   Additionally the ``admin`` database exposes several commands and
   functionality, such as :dbcommand:`listDatabases`.