diff --git a/java/ql/lib/change-notes/2022-12-08-mybatis-parameters.md b/java/ql/lib/change-notes/2022-12-08-mybatis-parameters.md
new file mode 100644
index 00000000000..b7fb197c23e
--- /dev/null
+++ b/java/ql/lib/change-notes/2022-12-08-mybatis-parameters.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* We now detect SQL injection via the MyBatis library when the `@Param` annotation is not used, but the unannotated parameter is referred to by name regardless. This is an undocumented feature of the MyBatis library; the documentation suggests either `@Param` should be used, or a parameter should be referred to by position, e.g. `{arg0}`.