diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index c2a9e2cfa662e0705c27ac709003883aae431b54..00bf1078cd4f17c33882638b4f19b8bfd120a7be 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -26,6 +26,8 @@ Fixed
 * Due to a merge error, the once removed account menu in the sidenav appeared again.
 * Scheduled notifications were shown on dashboard before time.
 * Remove broken notifications menu item in favor of item next to account menu.
+* [OAuth2] Resources which are protected with client credentials 
+  allowed access even if there were not allowed scopes set.
 
 Changed
 ~~~~~~~
diff --git a/aleksis/core/util/auth_helpers.py b/aleksis/core/util/auth_helpers.py
index 6edfac83373882d077d0a588d822fd3a0d0cc9b4..ca80aeae4a59ac069023465559d599f929bab6d8 100644
--- a/aleksis/core/util/auth_helpers.py
+++ b/aleksis/core/util/auth_helpers.py
@@ -134,6 +134,10 @@ class ClientProtectedResourceMixin(_ClientProtectedResourceMixin):
         # Verify scopes of configured application
         # The OAuth request was enriched with a reference to the Application when using the
         #  validator above.
+        if not oauth_request.client.allowed_scopes:
+            # If there are no allowed scopes, the client is not allowed to access this resource
+            return False
+
         required_scopes = set(self.get_scopes() or [])
         allowed_scopes = set(AppScopes().get_available_scopes(oauth_request.client) or [])
         return required_scopes.issubset(allowed_scopes)