diff --git a/lib/read-zip.js b/lib/read-zip.js
index a181575c..67ea9d10 100644
--- a/lib/read-zip.js
+++ b/lib/read-zip.js
@@ -32,7 +32,9 @@ const resolveBaseDir = async (zipPath) => {
 const readZip = (zip, options = {}) => {
     const tempUuid = randomUUID();
     const tempPath = os.tmpdir() + '/' + tempUuid;
-    const extractOptions = {};
+    const extractOptions = {
+        ensureOwnerPermissions: true
+    };
 
     if (options.limits) {
         extractOptions.limits = options.limits;
diff --git a/test/read-zip.test.js b/test/read-zip.test.js
index 211fa68b..51af148f 100644
--- a/test/read-zip.test.js
+++ b/test/read-zip.test.js
@@ -140,7 +140,10 @@ describe('Zip file handler can read zip files', function () {
             const zip = await mocked.readZip({path: '/tmp/theme.zip', name: 'theme.zip'}, {limits});
             tempDirs.push(zip.origPath);
 
-            expect(extract).toHaveBeenCalledWith('/tmp/theme.zip', expect.any(String), {limits});
+            expect(extract).toHaveBeenCalledWith('/tmp/theme.zip', expect.any(String), {
+                ensureOwnerPermissions: true,
+                limits
+            });
         } finally {
             mocked.restore();
         }
@@ -162,7 +165,9 @@ describe('Zip file handler can read zip files', function () {
                 errorDetails: extractError.message
             });
 
-            expect(extract).toHaveBeenCalledWith('/tmp/theme.zip', expect.any(String), {});
+            expect(extract).toHaveBeenCalledWith('/tmp/theme.zip', expect.any(String), {
+                ensureOwnerPermissions: true
+            });
         } finally {
             mocked.restore();
         }