diff --git a/api/apps/restful_apis/document_api.py b/api/apps/restful_apis/document_api.py
index 3a3f3cd30f1..c42e13274c5 100644
--- a/api/apps/restful_apis/document_api.py
+++ b/api/apps/restful_apis/document_api.py
@@ -23,7 +23,7 @@
 from peewee import OperationalError
 from pydantic import ValidationError
 
-from api.apps import login_required
+from api.apps import current_user, login_required
 from api.constants import FILE_NAME_LEN_LIMIT, IMG_BASE64_PREFIX
 from api.apps.services.document_api_service import validate_document_update_fields, map_doc_keys, \
     map_doc_keys_with_run_status, update_document_name_only, update_chunk_method, update_document_status_only, \
@@ -1180,6 +1180,7 @@ async def update_metadata_config(tenant_id, dataset_id, document_id):
 
 
 @manager.route("/thumbnails", methods=["GET"])  # noqa: F821
+@login_required
 def list_thumbnails():
     """
     Get thumbnails for documents.
@@ -1205,6 +1206,14 @@ def list_thumbnails():
     if not doc_ids:
         return get_json_result(data=False, message='Lack of "Document ID"', code=RetCode.ARGUMENT_ERROR)
 
+    for doc_id in doc_ids:
+        if not DocumentService.accessible(doc_id, current_user.id):
+            logging.warning(
+                "thumbnail access denied: user_id=%s doc_id=%s path=%s",
+                current_user.id, doc_id, request.path,
+            )
+            return get_json_result(data=False, message="No authorization.", code=RetCode.AUTHENTICATION_ERROR)
+
     try:
         docs = DocumentService.get_thumbnails(doc_ids)