diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
index 45d2707a6e0..ff21d50aff7 100644
--- a/dojo/api_v2/serializers.py
+++ b/dojo/api_v2/serializers.py
@@ -1527,6 +1527,16 @@ def get_engagement(self, obj):
             engagement
         )
 
+    def validate(self, data):
+        if self.context["request"].method == "POST":
+            findings = data['accepted_findings']
+            for finding in findings:
+                if not user_has_permission(self.context["request"].user, finding, Permissions.Finding_View):
+                    raise PermissionDenied(
+                        "You are not permitted to add one or more selected findings to this risk acceptance"
+                    )
+        return data
+
     class Meta:
         model = Risk_Acceptance
         fields = "__all__"
diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py
index 40bc45b892b..fceb87c7ea2 100644
--- a/dojo/api_v2/views.py
+++ b/dojo/api_v2/views.py
@@ -743,12 +743,7 @@ def download_file(self, request, file_id, pk=None):
 
 
 class RiskAcceptanceViewSet(
-    prefetch.PrefetchListMixin,
-    prefetch.PrefetchRetrieveMixin,
-    mixins.DestroyModelMixin,
-    mixins.UpdateModelMixin,
-    viewsets.ReadOnlyModelViewSet,
-    dojo_mixins.DeletePreviewModelMixin,
+    PrefetchDojoModelViewSet
 ):
     serializer_class = serializers.RiskAcceptanceSerializer
     queryset = Risk_Acceptance.objects.none()
diff --git a/unittests/test_apiv2_methods_and_endpoints.py b/unittests/test_apiv2_methods_and_endpoints.py
index 8163de19534..408dd7cc060 100644
--- a/unittests/test_apiv2_methods_and_endpoints.py
+++ b/unittests/test_apiv2_methods_and_endpoints.py
@@ -45,7 +45,7 @@ def test_is_defined(self):
         exempt_list = [
             'import-scan', 'reimport-scan', 'notes', 'system_settings', 'roles',
             'import-languages', 'endpoint_meta_import', 'test_types',
-            'configuration_permissions', 'risk_acceptance', 'questionnaire_questions',
+            'configuration_permissions', 'questionnaire_questions',
             'questionnaire_answers', 'questionnaire_answered_questionnaires',
             'questionnaire_engagement_questionnaires', 'questionnaire_general_questionnaires',
             'dojo_group_members', 'product_members', 'product_groups', 'product_type_groups',
diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py
index 979b0c36bb7..01d6ed27492 100644
--- a/unittests/test_rest_framework.py
+++ b/unittests/test_rest_framework.py
@@ -967,6 +967,12 @@ def __init__(self, *args, **kwargs):
         self.deleted_objects = 3
         BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs)
 
+    def test_create_object_not_authorized(self):
+        self.setUp_not_authorized()
+
+        response = self.client.post(self.url, self.payload)
+        self.assertEqual(403, response.status_code, response.content[:1000])
+
 
 class FindingRequestResponseTest(DojoAPITestCase):
     fixtures = ['dojo_testdata.json']