diff --git a/backend/src/appointment/routes/api.py b/backend/src/appointment/routes/api.py
index 7492784fc..b02919e25 100644
--- a/backend/src/appointment/routes/api.py
+++ b/backend/src/appointment/routes/api.py
@@ -404,8 +404,10 @@ def read_remote_events(
     redis_instance: Redis | RedisCluster | None = Depends(get_redis),
 ):
     """endpoint to get events in a given date range from a remote calendar"""
-    db_calendar = repo.calendar.get(db, calendar_id=id)
+    if not repo.calendar.is_owned(db, calendar_id=id, subscriber_id=subscriber.id):
+        raise validation.CalendarNotAuthorizedException()
 
+    db_calendar = repo.calendar.get(db, calendar_id=id)
     if db_calendar is None:
         raise validation.CalendarNotFoundException()
 
diff --git a/backend/test/integration/test_appointment.py b/backend/test/integration/test_appointment.py
index c57df6f88..363740094 100644
--- a/backend/test/integration/test_appointment.py
+++ b/backend/test/integration/test_appointment.py
@@ -184,14 +184,14 @@ def mock_client_calendar(url):
             assert isinstance(event.all_day, bool)
             assert isinstance(event.tentative, bool)
 
-    def test_get_remote_caldav_events_invalid_calendar(self, with_client, make_appointment):
+    def test_get_remote_caldav_events_unauthorized_calendar(self, with_client, make_appointment):
         generated_appointment = make_appointment()
 
         path = f'/rmt/cal/{generated_appointment.calendar_id + 999}/' + DAY1 + '/' + DAY3
         response = with_client.get(path, headers=auth_headers)
-        assert response.status_code == 404, response.text
+        assert response.status_code == 403, response.text
         data = response.json()
-        assert data['detail']['id'] == 'CALENDAR_NOT_FOUND'
+        assert data['detail']['id'] == 'CALENDAR_NOT_AUTH'
 
     def test_get_invitation_ics_file(self, with_client, make_appointment):
         generated_appointment = make_appointment()