diff --git a/api/next/69445.txt b/api/next/69445.txt
new file mode 100644
index 0000000000000..b6b56265e80aa
--- /dev/null
+++ b/api/next/69445.txt
@@ -0,0 +1,3 @@
+pkg crypto/cipher, func NewCFBDecrypter //deprecated #69445
+pkg crypto/cipher, func NewCFBEncrypter //deprecated #69445
+pkg crypto/cipher, func NewOFB //deprecated #69445
diff --git a/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md b/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md
new file mode 100644
index 0000000000000..b3ef9dcc2a6de
--- /dev/null
+++ b/doc/next/6-stdlib/99-minor/crypto/cipher/69445.md
@@ -0,0 +1,5 @@
+[NewOFB], [NewCFBEncrypter], and [NewCFBDecrypter] are now deprecated. OFB and
+CFB mode are not authenticated, which generally enables active attacks to
+manipulate and recover the plaintext. It is recommended that applications use
+[AEAD] modes instead. If an unauthenticated [Stream] mode is required, use
+[NewCTR] instead.
diff --git a/src/crypto/cipher/cfb.go b/src/crypto/cipher/cfb.go
index b9f9efa574679..b493e05fe27ce 100644
--- a/src/crypto/cipher/cfb.go
+++ b/src/crypto/cipher/cfb.go
@@ -54,6 +54,12 @@ func (x *cfb) XORKeyStream(dst, src []byte) {
 // NewCFBEncrypter returns a [Stream] which encrypts with cipher feedback mode,
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
+//
+// Deprecated: CFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewCFBEncrypter(block Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")
@@ -64,6 +70,12 @@ func NewCFBEncrypter(block Block, iv []byte) Stream {
 // NewCFBDecrypter returns a [Stream] which decrypts with cipher feedback mode,
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
+//
+// Deprecated: CFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewCFBDecrypter(block Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")
diff --git a/src/crypto/cipher/ofb.go b/src/crypto/cipher/ofb.go
index abdc0225c0166..8db5659f7a25c 100644
--- a/src/crypto/cipher/ofb.go
+++ b/src/crypto/cipher/ofb.go
@@ -22,6 +22,12 @@ type ofb struct {
 // NewOFB returns a [Stream] that encrypts or decrypts using the block cipher b
 // in output feedback mode. The initialization vector iv's length must be equal
 // to b's block size.
+//
+// Deprecated: OFB mode is not authenticated, which generally enables active
+// attacks to manipulate and recover the plaintext. It is recommended that
+// applications use [AEAD] modes instead. The standard library implementation of
+// OFB is also unoptimized and not validated as part of the FIPS 140-3 module.
+// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.
 func NewOFB(b Block, iv []byte) Stream {
 	if fips140only.Enabled {
 		panic("crypto/cipher: use of OFB is not allowed in FIPS 140-only mode")