diff --git a/services/web/app/src/Features/Subscription/SubscriptionController.mjs b/services/web/app/src/Features/Subscription/SubscriptionController.mjs
index ca21ca6f51..550d9124b5 100644
--- a/services/web/app/src/Features/Subscription/SubscriptionController.mjs
+++ b/services/web/app/src/Features/Subscription/SubscriptionController.mjs
@@ -172,6 +172,39 @@ function formatGroupPlansDataForDash() {
   }
 }
 
+/**
+ * Trim the staffAccess object to only include allowed fields
+ * @param {Object} user - The user object with mongoose object fields
+ * @returns {Object} - User object with trimmed staffAccess
+ */
+function _trimStaffAccess(user) {
+  if (!user || !user.staffAccess) return user
+
+  const allowedFields = [
+    'publisherMetrics',
+    'publisherManagement',
+    'institutionMetrics',
+    'institutionManagement',
+    'groupMetrics',
+    'groupManagement',
+    'adminMetrics',
+    'splitTestMetrics',
+    'splitTestManagement',
+  ]
+
+  const trimmedStaffAccess = allowedFields.reduce((acc, key) => {
+    if (key in user.staffAccess) {
+      acc[key] = user.staffAccess[key]
+    }
+    return acc
+  }, {})
+
+  return {
+    ...user,
+    staffAccess: trimmedStaffAccess,
+  }
+}
+
 async function userSubscriptionPage(req, res) {
   const user = SessionManager.getSessionUser(req.session)
   await SplitTestHandler.promises.getAssignment(req, res, 'pause-subscription')
@@ -304,7 +337,7 @@ async function userSubscriptionPage(req, res) {
     title: 'your_subscriptions',
     plans: plansData?.plans,
     planCodesChangingAtTermEnd: plansData?.planCodesChangingAtTermEnd,
-    user,
+    user: _trimStaffAccess(user),
     hasSubscription,
     fromPlansPage,
     redirectedPaymentErrorCode,