diff --git a/lib/read-zip.js b/lib/read-zip.js
index a181575c..67ea9d10 100644
--- a/lib/read-zip.js
+++ b/lib/read-zip.js
@@ -32,7 +32,9 @@ const resolveBaseDir = async (zipPath) => {
 const readZip = (zip, options = {}) => {
     const tempUuid = randomUUID();
     const tempPath = os.tmpdir() + '/' + tempUuid;
-    const extractOptions = {};
+    const extractOptions = {
+        ensureOwnerPermissions: true
+    };
 
     if (options.limits) {
         extractOptions.limits = options.limits;
diff --git a/package.json b/package.json
index 840fb544..12643ab5 100644
--- a/package.json
+++ b/package.json
@@ -51,7 +51,7 @@
     "@tryghost/nql": "0.13.1",
     "@tryghost/pretty-cli": "3.3.1",
     "@tryghost/server": "3.1.1",
-    "@tryghost/zip": "3.4.1",
+    "@tryghost/zip": "3.5.0",
     "chalk": "5.6.2",
     "express": "5.2.1",
     "express-handlebars": "8.0.1",
diff --git a/test/read-zip.test.js b/test/read-zip.test.js
index 211fa68b..51af148f 100644
--- a/test/read-zip.test.js
+++ b/test/read-zip.test.js
@@ -140,7 +140,10 @@ describe('Zip file handler can read zip files', function () {
             const zip = await mocked.readZip({path: '/tmp/theme.zip', name: 'theme.zip'}, {limits});
             tempDirs.push(zip.origPath);
 
-            expect(extract).toHaveBeenCalledWith('/tmp/theme.zip', expect.any(String), {limits});
+            expect(extract).toHaveBeenCalledWith('/tmp/theme.zip', expect.any(String), {
+                ensureOwnerPermissions: true,
+                limits
+            });
         } finally {
             mocked.restore();
         }
@@ -162,7 +165,9 @@ describe('Zip file handler can read zip files', function () {
                 errorDetails: extractError.message
             });
 
-            expect(extract).toHaveBeenCalledWith('/tmp/theme.zip', expect.any(String), {});
+            expect(extract).toHaveBeenCalledWith('/tmp/theme.zip', expect.any(String), {
+                ensureOwnerPermissions: true
+            });
         } finally {
             mocked.restore();
         }
diff --git a/yarn.lock b/yarn.lock
index 93e16919..ad6a2d66 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -728,10 +728,10 @@
     "@tryghost/root-utils" "2.3.1"
     semver "7.8.5"
 
-"@tryghost/zip@3.4.1":
-  version "3.4.1"
-  resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-3.4.1.tgz#34dd0fb14c6af56396bf7d42dbaaf0d316b9edfc"
-  integrity sha512-z45W9JNJSjo8t6JOaf0NUeePOo20yZqALajp9T+xV0gik4V9xLy0r9lR4qDnEMFIgNCy67okh+vDzOsp7MCayw==
+"@tryghost/zip@3.5.0":
+  version "3.5.0"
+  resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-3.5.0.tgz#e65c35b4fe6ec4b326ede5267cab6bc18e39990a"
+  integrity sha512-igHHPyBasmo+MWM+l8qtWWX/cdHlAQps5HbCfESi4zGPlkTzuScHfmFAnuXsCx+MZKP5LozgnQHOVIf6jkaU8A==
   dependencies:
     "@tryghost/errors" "3.3.1"
     archiver "8.0.0"