diff --git a/release-notes/5515.md b/release-notes/5515.md
new file mode 100644
index 0000000000..46671195e1
--- /dev/null
+++ b/release-notes/5515.md
@@ -0,0 +1 @@
+**Fixing this bug is a breaking change because existing tokens with a public scope will no longer return private resources. They have to be deleted and re-created without the public scope to restore their original behavior**. The public scope of an application token does not filter out private repositories, organizations or packages in some cases. This scope is not the default, it has to be manually set via the web UI or the API. When the public scope is explicitly added to an application token that is allowed to list the repositories and packages of a user or an organization, it is meant as a restriction. For instance if a user has two repositories, one private and the other publicly visible, a token with the public scope used with the API endpoint listing the repositories that belong to this user must only return the publicly visible one and not reveal the existence of the private one.