diff --git a/server/router/api/v1/attachment_service.go b/server/router/api/v1/attachment_service.go
index 3226b9f42f563..8c84af92d11c2 100644
--- a/server/router/api/v1/attachment_service.go
+++ b/server/router/api/v1/attachment_service.go
@@ -200,6 +200,19 @@ func (s *APIV1Service) GetAttachment(ctx context.Context, request *v1pb.GetAttac
 	if attachment == nil {
 		return nil, status.Errorf(codes.NotFound, "attachment not found")
 	}
+	
+	// Verify authorization - user must be the owner of the attachment or an admin
+	user, err := s.fetchCurrentUser(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
+	if user.ID != attachment.CreatorID && user.Role != store.RoleHost && user.Role != store.RoleAdmin {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied: you do not have access to this attachment")
+	}
+	
 	return convertAttachmentFromStore(attachment), nil
 }
 
diff --git a/store/seed/sqlite/01__dump.sql b/store/seed/sqlite/01__dump.sql
index 457703998b7e5..9d5287d088698 100644
--- a/store/seed/sqlite/01__dump.sql
+++ b/store/seed/sqlite/01__dump.sql
@@ -1,5 +1,6 @@
 -- Demo User
-INSERT INTO user (id,username,role,nickname,password_hash) VALUES(1,'demo','HOST','Demo User','$2a$10$c.slEVgf5b/3BnAWlLb/vOu7VVSOKJ4ljwMe9xzlx9IhKnvAsJYM6');
+-- NOTE: Demo user with default password removed for security reasons.
+-- Administrators should create a strong password user manually if demo user is needed.
 
 -- Welcome Memo (Pinned)
 INSERT INTO memo (id,uid,creator_id,content,visibility,pinned,payload) VALUES(1,'welcome2memos001',1,replace('# Welcome to Memos!\\n\\nA privacy-first, lightweight note-taking service. Easily capture and share your great thoughts.\\n\\n## Key Features\\n\\n- **Privacy First**: Your data stays with you\\n- **Markdown Support**: Full CommonMark + GFM syntax\\n- **Quick Capture**: Jot down thoughts instantly\\n- **Organize with Tags**: Use #tags to categorize\\n- **Open Source**: Free and open source software\\n\\n---\\n\\nStart exploring the demo memos below to see what you can do! #welcome #getting-started','\\n',char(10)),'PUBLIC',1,'{"tags":["welcome","getting-started"],"property":{"hasLink":false}}');