diff --git a/pyproject.toml b/pyproject.toml
index a04d318cc..934cce55e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -15,7 +15,7 @@ repository = "https://github.com/aryn-ai/sycamore.git"
 
 [tool.poetry.dependencies]
 # streamlit in query-ui disallows 3.9.7
-# cryptography in sycamore-ai disallows 3.9.1, 3.9.0
+# cryptography in sycamore-ai disallows 3.9.1, 3.9.0, need >44.0.1 due to CVE-2024-12797: https://github.com/aryn-ai/sycamore/security/dependabot/327
 python = ">=3.9.2,<3.9.7 || >3.9.7,<3.13"
 
 sycamore-ai = "^0.1.13"