diff --git a/src/api/categories.js b/src/api/categories.js
index 774091fd61..892c8e3d6a 100644
--- a/src/api/categories.js
+++ b/src/api/categories.js
@@ -80,6 +80,10 @@ categoriesAPI.delete = async function (caller, { cid }) {
 };
 
 categoriesAPI.getTopicCount = async (caller, { cid }) => {
+	const allowed = await privileges.categories.can('find', cid, caller.uid);
+	if (!allowed) {
+		throw new Error('[[error:no-privileges]]');
+	}
 	const count = await categories.getCategoryField(cid, 'topic_count');
 	return { count };
 };
diff --git a/src/routes/write/categories.js b/src/routes/write/categories.js
index ca149a54da..a6d464af6f 100644
--- a/src/routes/write/categories.js
+++ b/src/routes/write/categories.js
@@ -16,10 +16,10 @@ module.exports = function () {
 	setupApiRoute(router, 'put', '/:cid', [...middlewares], controllers.write.categories.update);
 	setupApiRoute(router, 'delete', '/:cid', [...middlewares], controllers.write.categories.delete);
 
-	setupApiRoute(router, 'get', '/:cid/count', [...middlewares, middleware.assert.category], controllers.write.categories.getTopicCount);
-	setupApiRoute(router, 'get', '/:cid/posts', [...middlewares, middleware.assert.category], controllers.write.categories.getPosts);
-	setupApiRoute(router, 'get', '/:cid/children', [...middlewares, middleware.assert.category], controllers.write.categories.getChildren);
-	setupApiRoute(router, 'get', '/:cid/topics', [...middlewares, middleware.assert.category], controllers.write.categories.getTopics);
+	setupApiRoute(router, 'get', '/:cid/count', [middleware.assert.category], controllers.write.categories.getTopicCount);
+	setupApiRoute(router, 'get', '/:cid/posts', [middleware.assert.category], controllers.write.categories.getPosts);
+	setupApiRoute(router, 'get', '/:cid/children', [middleware.assert.category], controllers.write.categories.getChildren);
+	setupApiRoute(router, 'get', '/:cid/topics', [middleware.assert.category], controllers.write.categories.getTopics);
 
 	setupApiRoute(router, 'put', '/:cid/watch', [...middlewares, middleware.assert.category], controllers.write.categories.setWatchState);
 	setupApiRoute(router, 'delete', '/:cid/watch', [...middlewares, middleware.assert.category], controllers.write.categories.setWatchState);