diff --git a/workflow/packages/frontend/src/hooks/authorization-hooks.ts b/workflow/packages/frontend/src/hooks/authorization-hooks.ts
index ca93c7c2..548af23b 100644
--- a/workflow/packages/frontend/src/hooks/authorization-hooks.ts
+++ b/workflow/packages/frontend/src/hooks/authorization-hooks.ts
@@ -33,10 +33,17 @@ export const useAuthorization = () => {
   });
 
   const checkAccess = (permission: Permission) => {
-    if (isLoading || edition === ApEdition.COMMUNITY) {
-      return true;
+    // SECURITY FIX: Implement fail-closed security principle during loading
+    if (isLoading) {
+      return false; // ✅ SECURE: Deny access during authentication loading
     }
-    return projectRole?.permissions?.includes(permission) ?? true;
+    
+    if (edition === ApEdition.COMMUNITY) {
+      return true; // Community edition bypass OK
+    }
+    
+    // Default to deny access if projectRole is undefined
+    return projectRole?.permissions?.includes(permission) ?? false;
   };
 
   return { checkAccess };