diff --git a/routers/web/repo/attachment.go b/routers/web/repo/attachment.go
index 3c01fc622e..66864f80ff 100644
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -182,8 +182,11 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 		}
 
 		if !perm.CanRead(unitType) {
-			ctx.HTTPError(http.StatusNotFound)
-			return
+			// Allow access for licensed read-only mode (private repo with valid license key).
+			if ctx.Data["LicensedReadOnly"] != true {
+				ctx.HTTPError(http.StatusNotFound)
+				return
+			}
 		}
 
 		if requiredScope, ok := attachmentReadScope(unitType); ok {