diff --git a/app/controllers/webhooks/activations_controller.rb b/app/controllers/webhooks/activations_controller.rb
index cbe3e9e329..82166043e5 100644
--- a/app/controllers/webhooks/activations_controller.rb
+++ b/app/controllers/webhooks/activations_controller.rb
@@ -1,8 +1,10 @@
 class Webhooks::ActivationsController < ApplicationController
+  include BoardScoped
+
   before_action :ensure_admin
 
   def create
-    webhook = Current.account.webhooks.find(params[:webhook_id])
+    webhook = @board.webhooks.find(params[:webhook_id])
     webhook.activate
 
     redirect_to webhook
diff --git a/test/controllers/webhooks/activations_controller_test.rb b/test/controllers/webhooks/activations_controller_test.rb
index 65c85d6353..b28fa39245 100644
--- a/test/controllers/webhooks/activations_controller_test.rb
+++ b/test/controllers/webhooks/activations_controller_test.rb
@@ -16,4 +16,20 @@ class Webhooks::ActivationsControllerTest < ActionDispatch::IntegrationTest
 
     assert_redirected_to board_webhook_path(webhook.board, webhook)
   end
+
+  test "cannot activate webhook on board without access" do
+    logout_and_sign_in_as :jason
+    webhook = webhooks(:inactive)  # on private board, jason has no access
+
+    post board_webhook_activation_path(webhook.board, webhook)
+    assert_response :not_found
+  end
+
+  test "non-admin cannot activate webhook" do
+    logout_and_sign_in_as :jz  # member with writebook access, but not admin
+    webhook = webhooks(:active)  # on writebook board
+
+    post board_webhook_activation_path(webhook.board, webhook)
+    assert_response :forbidden
+  end
 end
diff --git a/test/controllers/webhooks_controller_test.rb b/test/controllers/webhooks_controller_test.rb
index c9316172de..de336bc884 100644
--- a/test/controllers/webhooks_controller_test.rb
+++ b/test/controllers/webhooks_controller_test.rb
@@ -121,4 +121,13 @@ class WebhooksControllerTest < ActionDispatch::IntegrationTest
 
     assert_redirected_to board_webhooks_path(webhook.board)
   end
+
+  test "cannot access webhooks on board without access" do
+    logout_and_sign_in_as :jason
+
+    webhook = webhooks(:inactive)  # on private board, jason has no access
+
+    get board_webhooks_path(webhook.board)
+    assert_response :not_found
+  end
 end