diff --git a/CHANGES b/CHANGES
index da0fffe64..b75cdf018 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2027,3 +2027,7 @@
 * backups: add b2 provider
 * Add filemanager webinterface
 * Add darkmode
+
+[6.0.0]
+* Add note that password reset and invite links expire in 24 hours
+
diff --git a/src/mail_templates/password_reset.ejs b/src/mail_templates/password_reset.ejs
index c37f86664..e157601cb 100644
--- a/src/mail_templates/password_reset.ejs
+++ b/src/mail_templates/password_reset.ejs
@@ -8,7 +8,7 @@ be reset. If you did not request this reset, please ignore this message.
 To reset your password, please visit the following page:
 <%- resetLink %>
 
-
+Please note that the password reset link will expire in 24 hours.
 
 Powered by https://cloudron.io
 
@@ -29,6 +29,10 @@ Powered by https://cloudron.io
     <a href="<%= resetLink %>">Click to reset your password</a>
 </p>
 
+<br/>
+
+Please note that the password reset link will expire in 24 hours.
+
 <br/>
 <br/>
 
diff --git a/src/mail_templates/welcome_user.ejs b/src/mail_templates/welcome_user.ejs
index 4d9ec6d57..337fd6706 100644
--- a/src/mail_templates/welcome_user.ejs
+++ b/src/mail_templates/welcome_user.ejs
@@ -11,6 +11,7 @@ Follow the link to get started.
 You are receiving this email because you were invited by <%= invitor.email %>.
 <% } %>
 
+Please note that the invite link will expire in 24 hours.
 
 Powered by https://cloudron.io
 
@@ -36,6 +37,9 @@ Powered by https://cloudron.io
         You are receiving this email because you were invited by <%= invitor.email %>.
     <% } %>
 
+    <br/>
+
+        Please note that the invite link will expire in 24 hours.
     <br/>
 
     Powered by <a href="https://cloudron.io">Cloudron</a>
diff --git a/src/routes/cloudron.js b/src/routes/cloudron.js
index e905d3f7c..7a6a80d25 100644
--- a/src/routes/cloudron.js
+++ b/src/routes/cloudron.js
@@ -102,6 +102,7 @@ function passwordReset(req, res, next) {
     users.getByResetToken(req.body.resetToken, function (error, userObject) {
         if (error) return next(new HttpError(401, 'Invalid resetToken'));
 
+        // if you fix the duration here, the emails and UI have to be fixed as well
         if (Date.now() - userObject.resetTokenCreationTime > 24 * 60 * 60 * 1000) return next(new HttpError(401, 'Token expired'));
         if (!userObject.username) return next(new HttpError(409, 'No username set'));
 
@@ -132,6 +133,7 @@ function setupAccount(req, res, next) {
     users.getByResetToken(req.body.resetToken, function (error, userObject) {
         if (error) return next(new HttpError(401, 'Invalid Reset Token'));
 
+        // if you fix the duration here, the emails and UI have to be fixed as well
         if (Date.now() - userObject.resetTokenCreationTime > 24 * 60 * 60 * 1000) return next(new HttpError(401, 'Token expired'));
 
         users.setupAccount(userObject, req.body, auditSource.fromRequest(req), function (error, accessToken) {