diff --git a/server/controllers/FileSystemController.js b/server/controllers/FileSystemController.js
index edfd869c..39663d23 100644
--- a/server/controllers/FileSystemController.js
+++ b/server/controllers/FileSystemController.js
@@ -108,6 +108,11 @@ class FileSystemController {
       return res.sendStatus(404)
     }
 
+    if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
+      Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
+      return res.sendStatus(403)
+    }
+
     const filepath = Path.join(libraryFolder.path, directory)
 
     // Ensure filepath is inside library folder (prevents directory traversal)