diff --git a/internal/handler/kb.go b/internal/handler/kb.go
index c44fa741c2..5ba5e0543a 100644
--- a/internal/handler/kb.go
+++ b/internal/handler/kb.go
@@ -124,7 +124,7 @@ func (h *KnowledgebaseHandler) UpdateKB(c *gin.Context) {
 // @Success 200 {object} map[string]interface{}
 // @Router /v1/kb/update_metadata_setting [post]
 func (h *KnowledgebaseHandler) UpdateMetadataSetting(c *gin.Context) {
-	_, errorCode, errorMessage := GetUser(c)
+	user, errorCode, errorMessage := GetUser(c)
 	if errorCode != common.CodeSuccess {
 		jsonError(c, errorCode, errorMessage)
 		return
@@ -136,8 +136,17 @@ func (h *KnowledgebaseHandler) UpdateMetadataSetting(c *gin.Context) {
 		return
 	}
 
-	result, code, err := h.kbService.UpdateMetadataSetting(&req)
+	if !h.kbService.Accessible(req.KBID, user.ID) {
+		jsonError(c, common.CodeAuthenticationError, "No authorization.")
+		return
+	}
+
+	result, code, err := h.kbService.UpdateMetadataSetting(&req, user.ID)
 	if err != nil {
+		if strings.Contains(err.Error(), "authorized") {
+			jsonError(c, common.CodeAuthenticationError, err.Error())
+			return
+		}
 		jsonError(c, code, err.Error())
 		return
 	}
diff --git a/internal/service/kb.go b/internal/service/kb.go
index 8913bf0a22..e97922b2a3 100644
--- a/internal/service/kb.go
+++ b/internal/service/kb.go
@@ -164,8 +164,15 @@ func (s *KnowledgebaseService) UpdateKB(req *UpdateKBRequest, userID string) (ma
 	return result, common.CodeSuccess, nil
 }
 
-// UpdateMetadataSetting updates the metadata settings for a knowledge base
-func (s *KnowledgebaseService) UpdateMetadataSetting(req *UpdateMetadataSettingRequest) (map[string]interface{}, common.ErrorCode, error) {
+// UpdateMetadataSetting updates the metadata settings for a knowledge base.
+// The userID must be a member of the owning tenant; this is the same authorization
+// boundary applied by GetDetail and the handler-level guard, duplicated here so
+// the security check cannot be regressed by future handler refactors that drop it.
+func (s *KnowledgebaseService) UpdateMetadataSetting(req *UpdateMetadataSettingRequest, userID string) (map[string]interface{}, common.ErrorCode, error) {
+	if !s.kbDAO.Accessible(req.KBID, userID) {
+		return nil, common.CodeOperatingError, errors.New("only owner of dataset authorized for this operation")
+	}
+
 	kb, err := s.kbDAO.GetByID(req.KBID)
 	if err != nil {
 		return nil, common.CodeDataError, errors.New("database error (knowledgebase not found)")