diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 35525c45f..57d497dc6 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -62,9 +62,9 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
 	identityId := ""
 	if identity != nil {
 		identityId = identity.Name
-	} else {
-		identityId = r.Header.Get(s3_constants.AmzIdentityId)
 	}
+	// Note: For unauthenticated requests, identityId remains empty.
+	// We never read from request headers to prevent reflecting unvalidated user input.
 
 	var listBuckets ListAllMyBucketsList
 	for _, entry := range entries {