diff --git a/gradle/changelog/hg_anonymous_mode.yaml b/gradle/changelog/hg_anonymous_mode.yaml
new file mode 100644
index 0000000000..8d4bd0aec5
--- /dev/null
+++ b/gradle/changelog/hg_anonymous_mode.yaml
@@ -0,0 +1,2 @@
+- type: fixed
+  description: Broken HG write access when anonymous users have read access
diff --git a/scm-webapp/src/main/java/sonia/scm/web/cgi/DefaultCGIExecutor.java b/scm-webapp/src/main/java/sonia/scm/web/cgi/DefaultCGIExecutor.java
index 2d8a374e5e..e06f42c168 100644
--- a/scm-webapp/src/main/java/sonia/scm/web/cgi/DefaultCGIExecutor.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/cgi/DefaultCGIExecutor.java
@@ -36,6 +36,7 @@ import org.slf4j.LoggerFactory;
 
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.Authentications;
 import sonia.scm.util.HttpUtil;
 import sonia.scm.util.IOUtil;
 import sonia.scm.util.SystemUtil;
@@ -444,7 +445,11 @@ public class DefaultCGIExecutor extends AbstractCGIExecutor
     if (status < 304) {
       response.setStatus(status);
     } else {
-      response.sendError(status);
+      if (status == 401 && Authentications.isAuthenticatedSubjectAnonymous()) {
+        HttpUtil.sendUnauthorized(response, configuration.getRealmDescription());
+      } else {
+        response.sendError(status);
+      }
     }
   }