diff --git a/controllers/TicketController.php b/controllers/TicketController.php
index de45ad6..2d41e11 100644
--- a/controllers/TicketController.php
+++ b/controllers/TicketController.php
@@ -42,10 +42,10 @@ class TicketController {
             return;
         }
 
-        // Check visibility access
+        // Check visibility access — return 404 rather than 403 to avoid leaking ticket existence
         if (!$this->ticketModel->canUserAccessTicket($ticket, $currentUser)) {
-            header("HTTP/1.0 403 Forbidden");
-            echo "Access denied: You do not have permission to view this ticket";
+            header("HTTP/1.0 404 Not Found");
+            echo "Ticket not found";
             return;
         }