diff --git a/app/graphql/mutations/update_notification_preferences.rb b/app/graphql/mutations/update_notification_preferences.rb
index 6408163465e..1adc3bad329 100644
--- a/app/graphql/mutations/update_notification_preferences.rb
+++ b/app/graphql/mutations/update_notification_preferences.rb
@@ -87,6 +87,11 @@ class Mutations::UpdateNotificationPreferences < Mutations::BaseMutation
     # check for the presence of one of the arguments needed to update notification policies
     if input[:communication_channel_id]
       communication_channel = CommunicationChannel.find(input[:communication_channel_id])
+
+      if communication_channel.user_id != current_user.id
+        raise GraphQL::ExecutionError, "not found"
+      end
+
       if input[:is_policy_override]
         NotificationPolicyOverride.create_or_update_for(communication_channel, input[:notification_category].tr("_", " "), input[:frequency], context)
       else
diff --git a/spec/graphql/mutations/update_notification_preferences_spec.rb b/spec/graphql/mutations/update_notification_preferences_spec.rb
index 557bc379f94..3530f852c55 100644
--- a/spec/graphql/mutations/update_notification_preferences_spec.rb
+++ b/spec/graphql/mutations/update_notification_preferences_spec.rb
@@ -333,6 +333,22 @@ RSpec.describe Mutations::UpdateNotificationPreferences do
         result.dig(:data, :updateNotificationPreferences, :user, :notificationPreferences, :channels, 0, :notificationPolicies, 0, :frequency)
       ).to eq("immediately")
     end
+
+    it "throw not found when communication channel doesn't belong to current_user" do
+      Notification.create!(name: "Discussion Mention", subject: "Test", category: "DiscussionMention")
+      result = CanvasSchema.execute(mutation_str(context_type: "Account",
+                                                 account_id: @account.id,
+                                                 communication_channel_id: @teacher.communication_channels.first.id,
+                                                 notification_category: "DiscussionMention",
+                                                 frequency: "immediately"), context: {
+                                                   current_user: @student,
+                                                   request: ActionDispatch::TestRequest.create,
+                                                   domain_root_account: @account
+                                                 })
+      result = result.to_h.with_indifferent_access
+
+      expect(result[:errors][0][:message]).to be "not found"
+    end
   end
 
   describe "invalid input" do