diff --git a/src/server/middleware/contenttrust/contenttrust.go b/src/server/middleware/contenttrust/contenttrust.go
index 838b28b14..fe8de1fae 100644
--- a/src/server/middleware/contenttrust/contenttrust.go
+++ b/src/server/middleware/contenttrust/contenttrust.go
@@ -1,6 +1,9 @@
 package contenttrust
 
 import (
+	"github.com/goharbor/harbor/src/api/project"
+	"github.com/goharbor/harbor/src/common/rbac"
+	"github.com/goharbor/harbor/src/common/security"
 	internal_errors "github.com/goharbor/harbor/src/internal/error"
 	"github.com/goharbor/harbor/src/pkg/signature"
 	serror "github.com/goharbor/harbor/src/server/error"
@@ -49,6 +52,18 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo) {
 	if !ok {
 		return false, none
 	}
+	pro, err := project.Ctl.GetByName(req.Context(), af.ProjectName)
+	if err != nil {
+		return false, none
+	}
+	resource := rbac.NewProjectNamespace(pro.ProjectID).Resource(rbac.ResourceRepository)
+	securityCtx, ok := security.FromContext(req.Context())
+	if !ok {
+		return false, none
+	}
+	if !securityCtx.Can(rbac.ActionScannerPull, resource) {
+		return false, none
+	}
 	if !middleware.GetPolicyChecker().ContentTrustEnabled(af.ProjectName) {
 		return false, af
 	}
diff --git a/src/server/middleware/vulnerable/vulnerable.go b/src/server/middleware/vulnerable/vulnerable.go
index d700e7178..f96c0d380 100644
--- a/src/server/middleware/vulnerable/vulnerable.go
+++ b/src/server/middleware/vulnerable/vulnerable.go
@@ -1,6 +1,9 @@
 package vulnerable
 
 import (
+	"github.com/goharbor/harbor/src/api/project"
+	"github.com/goharbor/harbor/src/common/rbac"
+	"github.com/goharbor/harbor/src/common/security"
 	"net/http"
 	"net/http/httptest"
 
@@ -105,6 +108,18 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo, vuln.Severity,
 		return false, af, vs, wl
 	}
 
+	pro, err := project.Ctl.GetByName(req.Context(), af.ProjectName)
+	if err != nil {
+		return false, af, vs, wl
+	}
+	resource := rbac.NewProjectNamespace(pro.ProjectID).Resource(rbac.ResourceRepository)
+	securityCtx, ok := security.FromContext(req.Context())
+	if !ok {
+		return false, af, vs, wl
+	}
+	if !securityCtx.Can(rbac.ActionScannerPull, resource) {
+		return false, af, vs, wl
+	}
 	// Is vulnerable policy set?
 	projectVulnerableEnabled, projectVulnerableSeverity, wl := middleware.GetPolicyChecker().VulnerablePolicy(af.ProjectName)
 	if !projectVulnerableEnabled {