diff --git a/weed/s3api/cors/middleware.go b/weed/s3api/cors/middleware.go
index 2f0b8d438..5794f7277 100644
--- a/weed/s3api/cors/middleware.go
+++ b/weed/s3api/cors/middleware.go
@@ -50,6 +50,9 @@ func (m *Middleware) getCORSConfig(bucket string) (*CORSConfiguration, bool) {
 		// No bucket config, proceed to fallback.
 	case s3err.ErrNoSuchCORSConfiguration:
 		// No bucket config, proceed to fallback.
+	case s3err.ErrNoSuchBucket:
+		// Bucket doesn't exist, proceed to fallback.
+		// This ensures we don't leak existence information and returning 403 vs 200.
 	default:
 		// Any other error means we should not proceed.
 		return nil, false
diff --git a/weed/s3api/cors/middleware_test.go b/weed/s3api/cors/middleware_test.go
index e9f89a038..98f7940be 100644
--- a/weed/s3api/cors/middleware_test.go
+++ b/weed/s3api/cors/middleware_test.go
@@ -358,10 +358,10 @@ func TestMiddlewareFallbackWithError(t *testing.T) {
 			description:          "Internal errors should not expose CORS headers",
 		},
 		{
-			name:                 "ErrNoSuchBucket should not trigger fallback",
+			name:                 "ErrNoSuchBucket should trigger fallback",
 			errCode:              s3err.ErrNoSuchBucket,
-			expectedOriginHeader: "",
-			description:          "Bucket not found errors should not expose CORS headers",
+			expectedOriginHeader: "https://example.com",
+			description:          "Bucket not found errors should expose CORS headers to prevent information disclosure",
 		},
 		{
 			name:                 "ErrNoSuchCORSConfiguration should trigger fallback",