diff --git a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
index ce62d298f25..f067f0751a3 100644
--- a/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
+++ b/admin/app/controllers/solidus_admin/controller_helpers/authorization.rb
@@ -5,6 +5,10 @@ module SolidusAdmin::ControllerHelpers::Authorization
 
   included do
     before_action :authorize_solidus_admin_user!
+
+    rescue_from CanCan::AccessDenied do
+      render 'unauthorized', status: :forbidden
+    end
   end
 
   private
diff --git a/admin/app/views/solidus_admin/base/unauthorized.html.erb b/admin/app/views/solidus_admin/base/unauthorized.html.erb
new file mode 100644
index 00000000000..b47118192b0
--- /dev/null
+++ b/admin/app/views/solidus_admin/base/unauthorized.html.erb
@@ -0,0 +1,4 @@
+<div class="p-4">
+  <h1 class="text-3xl font-semibold text-solidusRed mb-4"><%= t('solidus_admin.errors.authorization.access_denied.title') %></h1>
+  <p class="text-lg text-gray-700"><%= t('solidus_admin.errors.authorization.access_denied.description') %></p>
+</div>
diff --git a/admin/config/locales/errors.en.yml b/admin/config/locales/errors.en.yml
new file mode 100644
index 00000000000..bf22b801c75
--- /dev/null
+++ b/admin/config/locales/errors.en.yml
@@ -0,0 +1,7 @@
+en:
+  solidus_admin:
+    errors:
+      authorization:
+        access_denied:
+          title: "Access Denied"
+          description: "You are not authorized to access this page."
diff --git a/admin/spec/controllers/solidus_admin/base_controller_spec.rb b/admin/spec/controllers/solidus_admin/base_controller_spec.rb
index fbab33fa0af..b7bb5f8fc52 100644
--- a/admin/spec/controllers/solidus_admin/base_controller_spec.rb
+++ b/admin/spec/controllers/solidus_admin/base_controller_spec.rb
@@ -15,10 +15,22 @@ def index
       allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(nil)
     end
 
-    it "redirects to unauthorized" do
+    it "redirects to unauthorized for no user" do
       get :index
       expect(response).to redirect_to '/unauthorized'
     end
+
+    context "with a user without update permission" do
+      before do
+        user = create(:user, email: 'user@example.com')
+        allow_any_instance_of(SolidusAdmin::BaseController).to receive(:spree_current_user).and_return(user)
+      end
+
+      it "redirects to unauthorized" do
+        get :index
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
   end
 
   context "successful request" do