diff --git a/app/controllers/list_controller.rb b/app/controllers/list_controller.rb
index 89344bb75..f930c55e8 100644
--- a/app/controllers/list_controller.rb
+++ b/app/controllers/list_controller.rb
@@ -217,6 +217,7 @@ class ListController < ApplicationController
 
     @category = Category.where(slug: slug_or_id, parent_category_id: parent_category_id).includes(:featured_users).first ||
                 Category.where(id: slug_or_id.to_i, parent_category_id: parent_category_id).includes(:featured_users).first
+    guardian.ensure_can_see!(@category)
 
     raise Discourse::NotFound.new if @category.blank?
   end
diff --git a/spec/controllers/list_controller_spec.rb b/spec/controllers/list_controller_spec.rb
index 41dd68ef7..6adb4ce95 100644
--- a/spec/controllers/list_controller_spec.rb
+++ b/spec/controllers/list_controller_spec.rb
@@ -56,6 +56,15 @@ describe ListController do
     context 'in a category' do
       let(:category) { Fabricate(:category) }
 
+      context 'without access to see the category' do
+        before do
+          Guardian.any_instance.expects(:can_see?).with(category).returns(false)
+          xhr :get, :category_latest, category: category.slug
+        end
+
+        it { should_not respond_with(:success) }
+      end
+
       context 'with access to see the category' do
         before do
           xhr :get, :category_latest, category: category.slug