diff --git a/src/ech.c b/src/ech.c
index ecc64dd03..d7e74dbcc 100644
--- a/src/ech.c
+++ b/src/ech.c
@@ -136,6 +136,10 @@ static int cli_parse_show_ech(char **args, char *payload,
 {
 	struct show_ech_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
 
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
+
+
 	/* no parameter, shows only file list */
 	if (*args[3]) {
 		SSL_CTX *sctx = NULL;
@@ -297,6 +301,9 @@ static int cli_parse_add_ech(char **args, char *payload, struct appctx *appctx,
 	OSSL_ECHSTORE *es = NULL;
 	BIO *es_in = NULL;
 
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
+
 	if (!*args[3] || !payload)
 		return cli_err(appctx, "syntax: add ssl ech <name> <PEM file content>");
 	if (cli_find_ech_specific_ctx(args[3], &sctx) != 1)
@@ -324,6 +331,9 @@ static int cli_parse_set_ech(char **args, char *payload, struct appctx *appctx,
 	OSSL_ECHSTORE *es = NULL;
 	BIO *es_in = NULL;
 
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
+
 	if (!*args[3] || !payload)
 		return cli_err(appctx, "syntax: set ssl ech <name> <PEM file content>");
 	if (cli_find_ech_specific_ctx(args[3], &sctx) != 1)
@@ -351,6 +361,9 @@ static int cli_parse_del_ech(char **args, char *payload, struct appctx *appctx,
 	char success_message[ECH_SUCCESS_MSG_MAX];
 	OSSL_ECHSTORE *es = NULL;
 
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
+
 	if (!*args[3])
 		return cli_err(appctx, "syntax: del ssl ech <name>");
 	if (*args[4])