diff --git a/src/server/object_services/object_server.js b/src/server/object_services/object_server.js
index 4c4009c50b..43ce28b8e0 100644
--- a/src/server/object_services/object_server.js
+++ b/src/server/object_services/object_server.js
@@ -776,7 +776,7 @@ async function read_node_mapping(req) {
  */
 async function read_object_md(req) {
     dbg.log1('object_server.read_object_md:', req.rpc_params);
-    const { bucket, key, md_conditions, adminfo, encryption } = req.rpc_params;
+    const { bucket, key, md_conditions, adminfo, encryption, version_id } = req.rpc_params;
 
     if (adminfo && req.role !== 'admin') {
         throw new RpcError('UNAUTHORIZED', 'read_object_md: role should be admin');
@@ -785,8 +785,16 @@ async function read_object_md(req) {
     const obj = await find_object_md(req);
 
     // Check if the requesting account is authorized to read the object
-    if (!await req.has_s3_bucket_permission(req.bucket, 's3:GetObject', '/' + obj.key)) {
-        throw new RpcError('UNAUTHORIZED', 'requesting account is not authorized to read the object');
+    if (version_id) {
+        const permission_versioning_enabled = version_id && await req.has_s3_bucket_permission(req.bucket, 's3:GetObjectVersion', '/' + obj.key);
+        if (!permission_versioning_enabled) {
+            throw new RpcError('UNAUTHORIZED', 'requesting account is not authorized to read the object');
+        }
+    } else {
+        const permission_versioning_disabled = await req.has_s3_bucket_permission(req.bucket, 's3:GetObject', '/' + obj.key);
+        if (!permission_versioning_disabled) {
+            throw new RpcError('UNAUTHORIZED', 'requesting account is not authorized to read the object');
+        }
     }
 
     check_md_conditions(md_conditions, obj);
diff --git a/src/test/unit_tests/test_s3_bucket_policy.js b/src/test/unit_tests/test_s3_bucket_policy.js
index 879753549a..65123d97f4 100644
--- a/src/test/unit_tests/test_s3_bucket_policy.js
+++ b/src/test/unit_tests/test_s3_bucket_policy.js
@@ -704,7 +704,6 @@ mocha.describe('s3_bucket_policy', function() {
         mocha.describe('bucket policy on get object attributes - versioning enabled', async function() {
             // currently the read_object in the object server is hard-coded on regular head object permission
             // and not flexible to versioned way
-            if (!is_nc_coretest) this.skip(); // eslint-disable-line no-invalid-this
             let version_id;
 
             mocha.before('put object', async function() {