diff --git a/src/flask/helpers.py b/src/flask/helpers.py
index f891eed1..57c8a000 100644
--- a/src/flask/helpers.py
+++ b/src/flask/helpers.py
@@ -547,7 +547,8 @@ def send_from_directory(
     raises a 404 :exc:`~werkzeug.exceptions.NotFound` error.
 
     :param directory: The directory that ``path`` must be located under,
-        relative to the current application's root path.
+        relative to the current application's root path. This *must not*
+        be a value provided by the client, otherwise it becomes insecure.
     :param path: The path to the file to send, relative to
         ``directory``.
     :param kwargs: Arguments to pass to :func:`send_file`.