diff --git a/backend/LexBoxApi/Auth/Requirements/AccessProjectUsersRequirementHandler.cs b/backend/LexBoxApi/Auth/Requirements/AccessProjectUsersRequirementHandler.cs
index c289a88d4..5e862ef38 100644
--- a/backend/LexBoxApi/Auth/Requirements/AccessProjectUsersRequirementHandler.cs
+++ b/backend/LexBoxApi/Auth/Requirements/AccessProjectUsersRequirementHandler.cs
@@ -20,10 +20,11 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
         {
             projectId = middlewareContext.Parent<Project>().Id;
         }
-        if (projectId != Guid.Empty && await permissions.CanSyncProjectAsync(projectId))
+        if (projectId != Guid.Empty && await permissions.CanViewProjectMembers(projectId))
         {
             context.Succeed(requirement);
-        } else
+        }
+        else
         {
             if (projectId == Guid.Empty)
             {
diff --git a/backend/LexBoxApi/Services/PermissionService.cs b/backend/LexBoxApi/Services/PermissionService.cs
index f244f45fa..2e7f29031 100644
--- a/backend/LexBoxApi/Services/PermissionService.cs
+++ b/backend/LexBoxApi/Services/PermissionService.cs
@@ -94,6 +94,16 @@ public async ValueTask AssertCanViewProject(string projectCode)
         if (!await CanViewProject(projectCode)) throw new UnauthorizedAccessException();
     }
 
+    public async ValueTask<bool> CanViewProjectMembers(Guid projectId)
+    {
+        if (User is not null && User.Role == UserRole.admin) return true;
+        // Project managers can view members of their own projects, even confidential ones
+        if (await CanManageProject(projectId)) return true;
+        var isConfidential = await projectService.LookupProjectConfidentiality(projectId);
+        if (isConfidential is null) return false; // Private by default
+        return isConfidential == false; // Explicitly set to public
+    }
+
     public async ValueTask<bool> CanManageProject(Guid projectId)
     {
         if (User is null) return false;
diff --git a/backend/LexCore/ServiceInterfaces/IPermissionService.cs b/backend/LexCore/ServiceInterfaces/IPermissionService.cs
index 06be6f1ed..dec18d5bd 100644
--- a/backend/LexCore/ServiceInterfaces/IPermissionService.cs
+++ b/backend/LexCore/ServiceInterfaces/IPermissionService.cs
@@ -20,6 +20,7 @@ public interface IPermissionService
     ValueTask AssertCanViewProject(Guid projectId);
     ValueTask<bool> CanViewProject(string projectCode);
     ValueTask AssertCanViewProject(string projectCode);
+    ValueTask<bool> CanViewProjectMembers(Guid projectId);
     ValueTask<bool> CanManageProject(Guid projectId);
     ValueTask<bool> CanManageProject(string projectCode);
     ValueTask AssertCanManageProject(Guid projectId);