diff --git a/components/Attachment/Controller/Attachment.php b/components/Attachment/Controller/Attachment.php
index d2c394371d..502dcc53b7 100644
--- a/components/Attachment/Controller/Attachment.php
+++ b/components/Attachment/Controller/Attachment.php
@@ -35,6 +35,7 @@ use App\Util\Exception\NoSuchFileException;
 use App\Util\Exception\NotFoundException;
 use App\Util\Exception\ServerException;
 use Component\Attachment\Entity\AttachmentThumbnail;
+use Component\Attachment\Entity\AttachmentToNote;
 use Symfony\Component\HttpFoundation\HeaderUtils;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -50,7 +51,12 @@ class Attachment extends Controller
         $attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
         $note       = \is_int($note) ? Note::getById($note) : $note;
 
-        // Before anything, ensure proper scope
+        // Before anything, two very important things!
+        // first: ensure this attachment is associated with this note
+        if (DB::count(AttachmentToNote::class, ['attachment_id' => $attachment->getId(), 'note_id' => $note->getId()]) <= 0) {
+            throw new ClientException(_m('No such attachment.'), 404);
+        }
+        // second: ensure proper scope
         if (!$note->isVisibleTo(Common::actor())) {
             throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
         }
@@ -145,12 +151,18 @@ class Attachment extends Controller
      */
     public function attachmentThumbnailWithNote(Request $request, int $note_id, int $attachment_id, string $size = 'small'): Response
     {
-        // Before anything, ensure proper scope
-        if (!Note::getById($note_id)->isVisibleTo(Common::actor())) {
-            throw new ClientException(_m('You don\'t have permissions to view this thumbnail.'), 401);
-        }
-
         $attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
+        $note       = Note::getById($note_id);
+
+        // Before anything, two very important things!
+        // first: ensure this attachment is associated with this note
+        if (DB::count(AttachmentToNote::class, ['attachment_id' => $attachment->getId(), 'note_id' => $note->getId()]) <= 0) {
+            throw new ClientException(_m('No such attachment.'), 404);
+        }
+        // second: ensure proper scope
+        if (!$note->isVisibleTo(Common::actor())) {
+            throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
+        }
 
         $crop = Common::config('thumbnail', 'smart_crop');