diff --git a/api/routes.py b/api/routes.py
index c5da3146..33fbf2c5 100644
--- a/api/routes.py
+++ b/api/routes.py
@@ -7619,6 +7619,13 @@ def _session_media_token_allows_image_path(sid: str, target: Path, image_mimes:
     for message in getattr(session, "messages", []) or []:
         if not isinstance(message, dict):
             continue
+        # Only honor MEDIA: tokens that the assistant/tool emitted. User-authored
+        # content cannot mint allow-list entries even if it contains a MEDIA:
+        # token — keeps the implicit threat model (assistant-emitted artifacts
+        # only) explicit.
+        role = str(message.get("role") or "").strip().lower()
+        if role == "user":
+            continue
         text = _message_content_text(message.get("content"))
         if "MEDIA:" not in text:
             continue