diff --git a/CHANGELOG.md b/CHANGELOG.md
index c999766f8..4e029dd45 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Breaking changes
 
+* Package registry container image runs by default as a non-root user (UID 1000). [#1503](https://github.com/elastic/package-registry/pull/1503)
+
 ### Bugfixes
 
 ### Added
diff --git a/Dockerfile b/Dockerfile
index 4b421d81c..ac1f78e16 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,6 +39,9 @@ WORKDIR /package-registry
 # Get in config which expects packages in /packages
 COPY config.docker.yml /package-registry/config.yml
 
+# Run as non-root user
+USER 1000
+
 # Start registry when container is run an expose it on port 8080
 EXPOSE 8080
 ENTRYPOINT ["./package-registry"]
diff --git a/README.md b/README.md
index afa92b90c..e5a890593 100644
--- a/README.md
+++ b/README.md
@@ -134,6 +134,9 @@ docker run --rm -it -p 8080:8080 \
   docker.elastic.co/package-registry/package-registry:main
 ```
 
+> [!IMPORTANT]
+> When you mount local package directories into the container (e.g., `-v /path/to/packages:/packages/package-registry`), ensure the mounted directory has proper filesystem permissions allowing UID 1000 to read the files. Alternatively, you can run the container as root using `docker run --user 0 ...` if you encounter permission issues.
+
 **Listening on HTTPS**
 ```bash
 docker run --rm -it -p 8443:8443 \