diff --git a/.changelog/4066.txt b/.changelog/4066.txt
new file mode 100644
index 0000000000..9c1574f9b3
--- /dev/null
+++ b/.changelog/4066.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar
+```
diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
index a9643308d8..88ee607770 100644
--- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
+++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
@@ -234,7 +234,20 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor
 			RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
 			RunAsNonRoot:             pointer.Bool(true),
 			AllowPrivilegeEscalation: pointer.Bool(false),
-			ReadOnlyRootFilesystem:   pointer.Bool(true),
+			// consul-dataplane requires the NET_BIND_SERVICE capability regardless of binding port #.
+			// See https://developer.hashicorp.com/consul/docs/connect/dataplane#technical-constraints
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"NET_BIND_SERVICE"},
+			},
+			ReadOnlyRootFilesystem: pointer.Bool(true),
+		}
+	} else {
+		// consul-dataplane requires the NET_BIND_SERVICE capability regardless of binding port #.
+		// See https://developer.hashicorp.com/consul/docs/connect/dataplane#technical-constraints
+		container.SecurityContext = &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"NET_BIND_SERVICE"},
+			},
 		}
 	}
 
diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
index ae1f50e795..7d0cd26f27 100644
--- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
+++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
@@ -808,6 +808,9 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 				RunAsNonRoot:             pointer.Bool(true),
 				ReadOnlyRootFilesystem:   pointer.Bool(true),
 				AllowPrivilegeEscalation: pointer.Bool(false),
+				Capabilities: &corev1.Capabilities{
+					Add: []corev1.Capability{"NET_BIND_SERVICE"},
+				},
 			},
 		},
 		"tproxy enabled; openshift disabled": {
@@ -819,12 +822,19 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 				RunAsNonRoot:             pointer.Bool(true),
 				ReadOnlyRootFilesystem:   pointer.Bool(true),
 				AllowPrivilegeEscalation: pointer.Bool(false),
+				Capabilities: &corev1.Capabilities{
+					Add: []corev1.Capability{"NET_BIND_SERVICE"},
+				},
 			},
 		},
 		"tproxy disabled; openshift enabled": {
-			tproxyEnabled:      false,
-			openShiftEnabled:   true,
-			expSecurityContext: nil,
+			tproxyEnabled:    false,
+			openShiftEnabled: true,
+			expSecurityContext: &corev1.SecurityContext{
+				Capabilities: &corev1.Capabilities{
+					Add: []corev1.Capability{"NET_BIND_SERVICE"},
+				},
+			},
 		},
 		"tproxy enabled; openshift enabled": {
 			tproxyEnabled:    true,
@@ -835,6 +845,9 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 				RunAsNonRoot:             pointer.Bool(true),
 				ReadOnlyRootFilesystem:   pointer.Bool(true),
 				AllowPrivilegeEscalation: pointer.Bool(false),
+				Capabilities: &corev1.Capabilities{
+					Add: []corev1.Capability{"NET_BIND_SERVICE"},
+				},
 			},
 		},
 	}