diff --git a/routes/web.php b/routes/web.php
index f1031e629..dc6817906 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -290,9 +290,13 @@ Route::middleware(['auth'])->group(function () {
     Route::get('/download/backup/{executionId}', function () {
         try {
             $team = auth()->user()->currentTeam();
+            $user = auth()->user();
             if (is_null($team)) {
                 return response()->json(['message' => 'Team not found.'], 404);
             }
+            if ($user->isAdminFromSession() === false) {
+                return response()->json(['message' => 'Only team admins/owners can download backups.'], 403);
+            }
             $exeuctionId = request()->route('executionId');
             $execution = ScheduledDatabaseBackupExecution::where('id', $exeuctionId)->firstOrFail();
             $execution_team_id = $execution->scheduledDatabaseBackup->database->team()?->id;