diff --git a/internal/api/security_regression_test.go b/internal/api/security_regression_test.go
index 55937f9fb..2f0e2f163 100644
--- a/internal/api/security_regression_test.go
+++ b/internal/api/security_regression_test.go
@@ -1189,6 +1189,39 @@ func TestConfigNodesWriteRequiresSettingsWriteScope(t *testing.T) {
 	}
 }
 
+func TestConfigNodeMutationsRequireSettingsWriteScope(t *testing.T) {
+	rawToken := "config-node-mutate-token-123.12345678"
+	record := newTokenRecord(t, rawToken, []string{config.ScopeSettingsRead}, nil)
+	cfg := newTestConfigWithTokens(t, record)
+	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
+
+	paths := []struct {
+		method string
+		path   string
+		body   string
+	}{
+		{method: http.MethodPost, path: "/api/config/nodes/test-config", body: `{}`},
+		{method: http.MethodPost, path: "/api/config/nodes/test-connection", body: `{}`},
+		{method: http.MethodPut, path: "/api/config/nodes/node-1", body: `{}`},
+		{method: http.MethodDelete, path: "/api/config/nodes/node-1", body: ""},
+		{method: http.MethodPost, path: "/api/config/nodes/node-1/test", body: `{}`},
+		{method: http.MethodPost, path: "/api/config/nodes/node-1/refresh-cluster", body: `{}`},
+	}
+
+	for _, tc := range paths {
+		req := httptest.NewRequest(tc.method, tc.path, strings.NewReader(tc.body))
+		req.Header.Set("X-API-Token", rawToken)
+		rec := httptest.NewRecorder()
+		router.Handler().ServeHTTP(rec, req)
+		if rec.Code != http.StatusForbidden {
+			t.Fatalf("expected 403 for missing settings:write scope on %s %s, got %d", tc.method, tc.path, rec.Code)
+		}
+		if !strings.Contains(rec.Body.String(), config.ScopeSettingsWrite) {
+			t.Fatalf("expected missing scope response to mention %q, got %q", config.ScopeSettingsWrite, rec.Body.String())
+		}
+	}
+}
+
 func TestSecurityOIDCRequiresSettingsWriteScope(t *testing.T) {
 	rawToken := "security-oidc-token-123.12345678"
 	record := newTokenRecord(t, rawToken, []string{config.ScopeSettingsRead}, nil)