diff --git a/CHANGELOG.md b/CHANGELOG.md
index cae74bd2..f795cc21 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,8 @@
 ## Changelog
 
-
 # 5.1.9 - 2026-06-22
 - Upgrade packages: guzzle to 7.10.1, psr7 to 2.10.4 & promises to ^2.3,
+- Enforce View access on the `pendingImports` controller action
 
 # 5.1.8 - 2026-05-25
 - Upgraded phpseclib package to 3.0.52
diff --git a/Controller.php b/Controller.php
index 612cece4..9294e487 100644
--- a/Controller.php
+++ b/Controller.php
@@ -475,6 +475,8 @@ private function getNotificationExceptionText(\Exception $e)
     }
     public function pendingImports()
     {
+        $idSite = Common::getRequestVar('idSite', -1, 'int');
+        Piwik::checkUserHasViewAccess($idSite);
         $pendingImports = \Piwik\Plugins\GoogleAnalyticsImporter\GoogleAnalyticsImporter::canDisplayImportPendingNotice();
         return json_encode($pendingImports);
     }