diff --git a/CHANGELOG b/CHANGELOG
index 74fb52d3aeb..a3d5a36bf57 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -79,6 +79,7 @@ v 8.9.0 (unreleased)
   - Allow users to create confidential issues in private projects
   - Measure CPU time for instrumented methods
   - Instrument private methods and private instance methods by default instead just public methods
+  - Only show notes through JSON on confidential issues that the user has access to
 
 v 8.8.5 (unreleased)
   - Ensure branch cleanup regardless of whether the GitHub import process succeeds
diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb
index ee14ac60fb4..0b7832e6583 100644
--- a/app/finders/notes_finder.rb
+++ b/app/finders/notes_finder.rb
@@ -12,7 +12,7 @@ class NotesFinder
       when "commit"
         project.notes.for_commit_id(target_id).non_diff_notes
       when "issue"
-        project.issues.find(target_id).notes.inc_author
+        project.issues.visible_to_user(current_user).find(target_id).notes.inc_author
       when "merge_request"
         project.merge_requests.find(target_id).mr_and_commit_notes.inc_author
       when "snippet", "project_snippet"
diff --git a/spec/finders/notes_finder_spec.rb b/spec/finders/notes_finder_spec.rb
index c83824b900d..639b28d49ee 100644
--- a/spec/finders/notes_finder_spec.rb
+++ b/spec/finders/notes_finder_spec.rb
@@ -34,5 +34,21 @@ describe NotesFinder do
       notes = NotesFinder.new.execute(project, user, params)
       expect(notes).to eq([note1])
     end
+
+    context 'confidential issue notes' do
+      let(:confidential_issue) { create(:issue, :confidential, project: project, author: user) }
+      let!(:confidential_note) { create(:note, noteable: confidential_issue, project: confidential_issue.project) }
+
+      let(:params) { { target_id: confidential_issue.id, target_type: 'issue', last_fetched_at: 1.hour.ago.to_i } }
+
+      it 'returns notes if user can see the issue' do
+        expect(NotesFinder.new.execute(project, user, params)).to eq([confidential_note])
+      end
+
+      it 'raises an error if user can not see the issue' do
+        user = create(:user)
+        expect { NotesFinder.new.execute(project, user, params) }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
   end
 end