diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 57d497dc6..4222c911e 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -132,6 +132,12 @@ func isBucketVisibleToIdentity(entry *filer_pb.Entry, identity *Identity) bool {
 		return true
 	}
 
+	// Non-admin users with no name cannot own or see buckets.
+	// This prevents misconfigured identities from matching buckets with empty owner IDs.
+	if identity.Name == "" {
+		return false
+	}
+
 	// Non-admin users: check ownership
 	// Use the authenticated identity value directly (cannot be spoofed)
 	id, ok := entry.Extended[s3_constants.AmzIdentityId]