diff --git a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
index a21233393..afa8b2ea2 100644
--- a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
@@ -14,7 +14,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
   plug(Pleroma.Web.ApiSpec.CastAndValidate)
   plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
 
-  plug(OAuthScopesPlug, %{scopes: ["write:media"]})
+  plug(OAuthScopesPlug, %{scopes: ["read:media"]} when action == :show)
+  plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action != :show)
 
   defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.MediaOperation
 
@@ -65,6 +66,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
 
   def update(conn, data), do: show(conn, data)
 
+  # TODO: clarify: is the access to non-owned objects granted intentionally?
   @doc "GET /api/v1/media/:id"
   def show(conn, %{id: id}) do
     with %Object{data: data, id: object_id} <- Object.get_by_id(id) do
@@ -74,5 +76,5 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
     end
   end
 
-  def get_media(_conn, _data), do: {:error, :bad_request}
+  def show(_conn, _data), do: {:error, :bad_request}
 end
diff --git a/test/web/mastodon_api/controllers/media_controller_test.exs b/test/web/mastodon_api/controllers/media_controller_test.exs
index 7ba1727f2..98ec239b1 100644
--- a/test/web/mastodon_api/controllers/media_controller_test.exs
+++ b/test/web/mastodon_api/controllers/media_controller_test.exs
@@ -9,9 +9,9 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
-  setup do: oauth_access(["write:media"])
-
   describe "Upload media" do
+    setup do: oauth_access(["write:media"])
+
     setup do
       image = %Plug.Upload{
         content_type: "image/jpg",
@@ -42,7 +42,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       assert object.data["actor"] == User.ap_id(conn.assigns[:user])
     end
 
-    test "/api/v2/media", %{conn: conn, image: image} do
+    test "/api/v2/media", %{conn: conn, user: user, image: image} do
       desc = "Description of the image"
 
       response =
@@ -53,6 +53,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
 
       assert media_id = response["id"]
 
+      %{conn: conn} = oauth_access(["read:media"], user: user)
+
       media =
         conn
         |> get("/api/v1/media/#{media_id}")
@@ -62,11 +64,15 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       assert media["description"] == desc
       assert media["id"]
       object = Object.get_by_id(media["id"])
+
+      # TODO: clarify: if this EP allows access to non-owned objects, the following may be false:
       assert object.data["actor"] == User.ap_id(conn.assigns[:user])
     end
   end
 
   describe "Update media description" do
+    setup do: oauth_access(["write:media"])
+
     setup %{user: actor} do
       file = %Plug.Upload{
         content_type: "image/jpg",
@@ -97,6 +103,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
   end
 
   describe "Get media by id" do
+    setup do: oauth_access(["read:media"])
+
     setup %{user: actor} do
       file = %Plug.Upload{
         content_type: "image/jpg",