diff --git a/app/models/category.rb b/app/models/category.rb
index 62228a02d0e..8e58c11954d 100644
--- a/app/models/category.rb
+++ b/app/models/category.rb
@@ -240,7 +240,11 @@ class Category < ActiveRecord::Base
 
     # Categories with children
     with_children =
-      Category.where(parent_category_id: category_ids).pluck(:parent_category_id).to_set
+      Category
+        .secured(@guardian)
+        .where(parent_category_id: category_ids)
+        .pluck(:parent_category_id)
+        .to_set
 
     # Update category attributes
     categories.each do |category|
diff --git a/spec/requests/categories_controller_spec.rb b/spec/requests/categories_controller_spec.rb
index aebd307ee54..4ddfa8a4c5b 100644
--- a/spec/requests/categories_controller_spec.rb
+++ b/spec/requests/categories_controller_spec.rb
@@ -1041,6 +1041,7 @@ RSpec.describe CategoriesController do
   end
 
   describe "#find" do
+    fab!(:group)
     fab!(:category) { Fabricate(:category, name: "Foo") }
     fab!(:subcategory) { Fabricate(:category, name: "Foobar", parent_category: category) }
 
@@ -1051,6 +1052,17 @@ RSpec.describe CategoriesController do
         expect(response.parsed_body["categories"].map { |c| c["id"] }).to eq([subcategory.id])
       end
 
+      it "preloads user-specific fields" do
+        subcategory.update!(read_restricted: true)
+
+        get "/categories/find.json", params: { ids: [category.id] }
+
+        serialized = response.parsed_body["categories"].first
+        expect(serialized["notification_level"]).to eq(CategoryUser.default_notification_level)
+        expect(serialized["permission"]).to eq(nil)
+        expect(serialized["has_children"]).to eq(false)
+      end
+
       it "does not return hidden category" do
         category.update!(read_restricted: true)