diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7a0f10ea..f07411d9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## v0.4.33
 
+FIX: Fix for log message in `Agent.CanAccessShare` (`"account '#%d' over frontends per share limit '%d'"`), which was not returning the correct limit value.
+
+FIX: Properly set `permission_mode` in `frontends` when createing a private frontend using `zrok access private` (https://github.com/openziti/zrok/issues/677)
+
 CHANGE: Updated `react-bootstrap` to version `2.10.2` (web console).
 
 CHANGE: Updated `@mui/material` to version `5.15.18` (web console).
diff --git a/controller/access.go b/controller/access.go
index 5b9d8dce..e3fc9d9a 100644
--- a/controller/access.go
+++ b/controller/access.go
@@ -81,7 +81,7 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
 		return share.NewAccessInternalServerError()
 	}
 
-	if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId}, trx); err != nil {
+	if _, err := str.CreateFrontend(envId, &store.Frontend{PrivateShareId: &shr.Id, Token: feToken, ZId: envZId, PermissionMode: store.ClosedPermissionMode}, trx); err != nil {
 		logrus.Errorf("error creating frontend record for user '%v': %v", principal.Email, err)
 		return share.NewAccessInternalServerError()
 	}
diff --git a/controller/limits/agent.go b/controller/limits/agent.go
index 78835056..b9403063 100644
--- a/controller/limits/agent.go
+++ b/controller/limits/agent.go
@@ -202,7 +202,7 @@ func (a *Agent) CanAccessShare(shrId int, trx *sqlx.Tx) (bool, error) {
 					return false, err
 				}
 				if len(fes)+1 > rc.GetShareFrontends() {
-					logrus.Infof("account '#%d' over frontends per share limit '%d'", *env.AccountId, rc.GetReservedShares())
+					logrus.Infof("account '#%d' over frontends per share limit '%d'", *env.AccountId, rc.GetShareFrontends())
 					return false, nil
 				}
 			}