diff --git a/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java b/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java
index 7d591c3f..359e8355 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java
@@ -199,6 +199,7 @@ public class DocumentController {
     }
 
     @GetMapping("/incomplete")
+    @RequirePermission(Permission.WRITE_ALL)
     public List<IncompleteDocumentDTO> getIncomplete(
             @Parameter(description = "Maximum number of results (server caps at 200)")
             @RequestParam(defaultValue = "50") int size) {
diff --git a/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java b/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java
index 842fe43b..4e6c9c04 100644
--- a/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java
@@ -414,6 +414,13 @@ class DocumentControllerTest {
                 .andExpect(jsonPath("$[0].uploadedAt").exists());
     }
 
+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void getIncomplete_returns403_forReaderOnly() throws Exception {
+        mockMvc.perform(get("/api/documents/incomplete"))
+                .andExpect(status().isForbidden());
+    }
+
     // ─── GET /api/documents/incomplete/next ──────────────────────────────────
 
     @Test