diff --git a/src/node_file.cc b/src/node_file.cc
index 9e0083d10a2f87..43f1922b96755f 100644
--- a/src/node_file.cc
+++ b/src/node_file.cc
@@ -2678,6 +2678,8 @@ static void Mkdtemp(const FunctionCallbackInfo<Value>& args) {
 
   BufferValue tmpl(isolate, args[0]);
   CHECK_NOT_NULL(*tmpl);
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kFileSystemWrite, tmpl.ToStringView());
 
   const enum encoding encoding = ParseEncoding(isolate, args[1], UTF8);
 
diff --git a/test/fixtures/permission/fs-write.js b/test/fixtures/permission/fs-write.js
index 566f45c34722bd..ecbd91999ec6a9 100644
--- a/test/fixtures/permission/fs-write.js
+++ b/test/fixtures/permission/fs-write.js
@@ -130,6 +130,23 @@ const absoluteProtectedFolder = path.resolve(relativeProtectedFolder);
   }));
 }
 
+{
+  assert.throws(() => {
+    fs.mkdtempSync(path.join(blockedFolder, 'any-folder'));
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+  }));
+  assert.throws(() => {
+    fs.mkdtemp(path.join(relativeProtectedFolder, 'any-folder'), (err) => {
+      assert.ifError(err);
+    });
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+  }));
+}
+
 // fs.rename
 {
   assert.throws(() => {