diff --git a/frontend/src/components/SettingsSidebar/index.jsx b/frontend/src/components/SettingsSidebar/index.jsx
index f194e8a0c..d0e72a5ce 100644
--- a/frontend/src/components/SettingsSidebar/index.jsx
+++ b/frontend/src/components/SettingsSidebar/index.jsx
@@ -316,6 +316,7 @@ const SidebarOptions = ({ user = null, t }) => (
               className="h-5 w-5 flex-shrink-0 light:invert"
             />
           }
+          user={user}
           childOptions={[
             {
               btnText: t("settings.community-hub.trending"),
diff --git a/server/endpoints/admin.js b/server/endpoints/admin.js
index 7922b29ef..e87d9d209 100644
--- a/server/endpoints/admin.js
+++ b/server/endpoints/admin.js
@@ -324,6 +324,7 @@ function adminEndpoints(app) {
     [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
+        const user = await userFromSession(request, response);
         const requestedSettings = {};
         const labels = request.query.labels?.split(",") || [];
         const needEmbedder = [
@@ -339,10 +340,27 @@ function adminEndpoints(app) {
           "meta_page_favicon",
         ];
 
+        // Managers can only read a limited set of settings.
+        // These match the ManagerRoute pages in the frontend.
+        const managerAllowedFields = [
+          "custom_app_name",
+          "footer_data",
+          "support_email",
+          "meta_page_title",
+          "meta_page_favicon",
+        ];
+
         for (const label of labels) {
           // Skip any settings that are not explicitly defined as public
           if (!SystemSettings.publicFields.includes(label)) continue;
 
+          // Managers can only read manager-allowed fields
+          if (
+            user?.role === ROLES.manager &&
+            !managerAllowedFields.includes(label)
+          )
+            continue;
+
           // Only get the embedder if the setting actually needs it
           let embedder = needEmbedder.includes(label)
             ? getEmbeddingEngineSelection()
@@ -419,7 +437,29 @@ function adminEndpoints(app) {
     [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
-        const updates = reqBody(request);
+        const user = await userFromSession(request, response);
+        let updates = reqBody(request);
+
+        // Managers can only update a limited set of settings.
+        // These match the ManagerRoute pages in the frontend.
+        // Admin users can update all supportedFields without restriction.
+        if (user?.role === ROLES.manager) {
+          const managerAllowedFields = [
+            "custom_app_name",
+            "footer_data",
+            "support_email",
+            "meta_page_title",
+            "meta_page_favicon",
+          ];
+          const filteredUpdates = {};
+          for (const key of Object.keys(updates)) {
+            if (managerAllowedFields.includes(key)) {
+              filteredUpdates[key] = updates[key];
+            }
+          }
+          updates = filteredUpdates;
+        }
+
         await SystemSettings.updateSettings(updates);
         response.status(200).json({ success: true, error: null });
       } catch (e) {