diff --git a/mailpoet/lib/API/JSON/v1/AutomatedLatestContent.php b/mailpoet/lib/API/JSON/v1/AutomatedLatestContent.php
index 13956bb0c8..b85a36c45d 100644
--- a/mailpoet/lib/API/JSON/v1/AutomatedLatestContent.php
+++ b/mailpoet/lib/API/JSON/v1/AutomatedLatestContent.php
@@ -4,23 +4,33 @@ namespace MailPoet\API\JSON\v1;
 
 use MailPoet\API\JSON\Endpoint as APIEndpoint;
 use MailPoet\Config\AccessControl;
+use MailPoet\Newsletter\AutomatedLatestContent as ALC;
+use MailPoet\Util\APIPermissionHelper;
 use MailPoet\WP\Functions as WPFunctions;
 use MailPoet\WP\Posts as WPPosts;
 
 class AutomatedLatestContent extends APIEndpoint {
-  /** @var \MailPoet\Newsletter\AutomatedLatestContent  */
+  /** @var ALC  */
   public $ALC;
+
+  /*** @var WPFunctions */
   private $wp;
+
+  /*** @var APIPermissionHelper */
+  private $permissionHelper;
+
   public $permissions = [
     'global' => AccessControl::PERMISSION_MANAGE_EMAILS,
   ];
 
   public function __construct(
-    \MailPoet\Newsletter\AutomatedLatestContent $alc,
+    ALC $alc,
+    APIPermissionHelper $permissionHelper,
     WPFunctions $wp
   ) {
     $this->ALC = $alc;
     $this->wp = $wp;
+    $this->permissionHelper = $permissionHelper;
   }
 
   public function getPostTypes() {
@@ -65,14 +75,24 @@ class AutomatedLatestContent extends APIEndpoint {
     return $this->successResponse(array_values($terms));
   }
 
+  /**
+   * @param \WP_Post[] $posts
+   * @return \WP_Post[]
+   */
+  private function getPermittedPosts($posts) {
+    return array_filter($posts, function ($post) {
+      return $this->permissionHelper->checkReadPermission($post);
+    });
+  }
+
   public function getPosts($data = []) {
     return $this->successResponse(
-      $this->ALC->getPosts($data)
+      $this->getPermittedPosts($this->ALC->getPosts($data))
     );
   }
 
   public function getTransformedPosts($data = []) {
-    $posts = $this->ALC->getPosts($data);
+    $posts = $this->getPermittedPosts($this->ALC->getPosts($data));
     return $this->successResponse(
       $this->ALC->transformPosts($data, $posts)
     );
@@ -83,7 +103,7 @@ class AutomatedLatestContent extends APIEndpoint {
     $renderedPosts = [];
 
     foreach ($data['blocks'] as $block) {
-      $posts = $this->ALC->getPosts($block, $usedPosts);
+      $posts = $this->getPermittedPosts($this->ALC->getPosts($block, $usedPosts));
       $renderedPosts[] = $this->ALC->transformPosts($block, $posts);
 
       foreach ($posts as $post) {
diff --git a/mailpoet/lib/DI/ContainerConfigurator.php b/mailpoet/lib/DI/ContainerConfigurator.php
index 4211b99538..d1aa93ebd1 100644
--- a/mailpoet/lib/DI/ContainerConfigurator.php
+++ b/mailpoet/lib/DI/ContainerConfigurator.php
@@ -84,6 +84,7 @@ class ContainerConfigurator implements IContainerConfigurator {
     $container->autowire(\MailPoet\API\JSON\v1\SubscriberStats::class)->setPublic(true);
     $container->autowire(\MailPoet\API\JSON\v1\Subscribers::class)->setPublic(true);
     $container->autowire(\MailPoet\API\JSON\v1\WoocommerceSettings::class)->setPublic(true);
+    $container->autowire(\MailPoet\Util\APIPermissionHelper::class)->setPublic(true);
     // API response builders
     $container->autowire(\MailPoet\API\JSON\ResponseBuilders\NewslettersResponseBuilder::class)->setPublic(true);
     $container->autowire(\MailPoet\API\JSON\ResponseBuilders\NewsletterTemplatesResponseBuilder::class);
diff --git a/mailpoet/lib/Util/APIPermissionHelper.php b/mailpoet/lib/Util/APIPermissionHelper.php
new file mode 100644
index 0000000000..65361c1204
--- /dev/null
+++ b/mailpoet/lib/Util/APIPermissionHelper.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace MailPoet\Util;
+
+if (!class_exists('\WP_REST_Posts_Controller')) {
+  require_once ABSPATH . '/wp-includes/rest-api/endpoints/class-wp-rest-controller.php';
+  require_once ABSPATH . '/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php';
+}
+
+class APIPermissionHelper extends \WP_REST_Posts_Controller {
+  public function __construct() {
+    // constructor is needed to override parent constructor
+  }
+
+  public function checkReadPermission(\WP_Post $post): bool {
+    return parent::check_read_permission($post);
+  }
+
+  /**
+   * Checks if a given post type can be viewed or managed.
+   * Refrain from checking `show_in_rest` contrary to what parent::check_is_post_type_allowed does
+   *
+   * @param \WP_Post_Type|string $post_type Post type name or object.
+   * @return bool Whether the post type is allowed in REST.
+   * @see parent::check_is_post_type_allowed
+   */
+  // phpcs:disable PSR1.Methods.CamelCapsMethodName
+  protected function check_is_post_type_allowed($post_type) {
+    if (!is_object($post_type)) {
+      $post_type = get_post_type_object($post_type);
+    }
+
+    return !empty($post_type) && $post_type->public;
+  }
+}