diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 7bda07d97..68a9a2110 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -64,6 +64,21 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
 	var listBuckets ListAllMyBucketsList
 	for _, entry := range entries {
 		if entry.IsDirectory {
+			// Check ownership: only show buckets owned by this user (unless admin)
+			if identity != nil && identityId != "" {
+				var bucketOwnerId string
+				if entry.Extended != nil {
+					if id, ok := entry.Extended[s3_constants.AmzIdentityId]; ok {
+						bucketOwnerId = string(id)
+					}
+				}
+
+				// Skip buckets not owned by this user (unless they're an admin)
+				if bucketOwnerId != "" && bucketOwnerId != identityId && !identity.isAdmin() {
+					continue
+				}
+			}
+
 			// Check permissions for each bucket
 			if identity != nil {
 				// For JWT-authenticated users, use IAM authorization