diff --git a/server/routes/api/torrents.ts b/server/routes/api/torrents.ts
index 0e3a2ea1..7f465f8c 100644
--- a/server/routes/api/torrents.ts
+++ b/server/routes/api/torrents.ts
@@ -668,6 +668,9 @@ router.get('/:hash/mediainfo', async (req, res) => {
   }
 
   const contentPath = fs.existsSync(path.join(directory, name)) ? path.join(directory, name) : directory;
+  if (!isAllowedPath(contentPath)) {
+    callback(null, accessDeniedError());
+  }
 
   try {
     const mediainfoProcess = childProcess.execFile(