diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 1cc1d0e2b4..f7debba784 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -72,7 +72,7 @@ class UsersController < ApplicationController
       user_serializer = serializer_class.new(@user, scope: guardian, root: 'user')
 
       topic_id = params[:include_post_count_for].to_i
-      if topic_id != 0
+      if topic_id != 0 && guardian.can_see?(Topic.find_by_id(topic_id))
         user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
       end
     else
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 9c451a2b88..238aa6bed2 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -4201,6 +4201,15 @@ RSpec.describe UsersController do
           expect(topic_post_count[topic.id.to_s]).to eq(1)
         end
 
+        it "doesn't include the post count when the signed in user doesn't have access" do
+          c = Fabricate(:category, read_restricted: true)
+          topic.update(category_id: c.id)
+          expect(Guardian.new(user1).can_see?(topic)).to eq(false)
+          get "/u/#{admin.username}.json", params: { include_post_count_for: topic.id }
+          topic_post_count = response.parsed_body.dig("user", "topic_post_count")
+          expect(topic_post_count).to eq(nil)
+        end
+
         it "includes all post types for staff members" do
           SiteSetting.whispers_allowed_groups = "#{Group::AUTO_GROUPS[:staff]}"
           sign_in(admin)