diff --git a/backend/app/api/endpoints/uploads.py b/backend/app/api/endpoints/uploads.py
index eb9d0e38..1a3efc83 100644
--- a/backend/app/api/endpoints/uploads.py
+++ b/backend/app/api/endpoints/uploads.py
@@ -255,9 +255,9 @@ async def get_upload_url(
     if upload is None:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found")
 
-    # Verify the upload belongs to the user's account
+    # Verify the upload belongs to the user's account — 404 to avoid revealing existence
     if upload.account_id != current_user.account_id and not current_user.is_super_admin:
-        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found")
 
     url = storage_service.get_presigned_url(upload.storage_key)
     return {"url": url}
@@ -311,9 +311,9 @@ async def delete_upload(
     if upload is None:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found")
 
-    # Verify ownership
+    # Verify ownership — 404 to avoid revealing existence
     if upload.uploaded_by != current_user.id and not current_user.is_super_admin:
-        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found")
 
     # Delete from S3
     await storage_service.delete_file(upload.storage_key)