diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php
index 5e8664396..4b91eb019 100644
--- a/app/Model/Attribute.php
+++ b/app/Model/Attribute.php
@@ -2027,7 +2027,7 @@ class Attribute extends AppModel
      * @param array $user
      * @param array $options
      * @param int|false $result_count If false, count is not fetched
-     * @return array|int|null
+     * @return array
      * @throws Exception
      */
     public function fetchAttributes(array $user, array $options = [], &$result_count = false)
diff --git a/tests/testlive_security.py b/tests/testlive_security.py
index b0cba44e8..d6187c823 100644
--- a/tests/testlive_security.py
+++ b/tests/testlive_security.py
@@ -1234,6 +1234,32 @@ class TestSecurity(unittest.TestCase):
         self.admin_misp_connector.delete_user(publisher_user)
         self.admin_misp_connector.delete_organisation(different_org)
 
+    def test_unpublished_private(self):
+        with self.__setting("MISP.unpublishedprivate", True):
+            created_event = self.admin_misp_connector.add_event(self.__generate_event())
+            self.assertIsInstance(created_event, MISPEvent, "Admin user should be able to create event")
+
+            logged_in = PyMISP(url, self.test_usr.authkey)
+            # Event is not published, so normal user should not see that event
+            self.assertFalse(logged_in.event_exists(created_event.uuid))
+            fetched_event = logged_in.get_event(created_event.uuid)
+            self.assertEqual(fetched_event["errors"][0], 404)
+            attributes = logged_in.search(controller='attributes', uuid=created_event.uuid)
+            self.assertEqual(len(attributes["Attribute"]), 0, attributes)
+
+            # Publish
+            self.assertSuccessfulResponse(self.admin_misp_connector.publish(created_event))
+
+            # Event is published, so normal user should see that event
+            self.assertTrue(logged_in.event_exists(created_event.uuid))
+            fetched_event = logged_in.get_event(created_event.uuid)
+            self.assertSuccessfulResponse(fetched_event, "User should be able to see published event")
+            attributes = logged_in.search(controller='attributes', uuid=created_event.uuid)
+            self.assertEqual(len(attributes["Attribute"]), 1, attributes)
+
+            # Cleanup
+            self.admin_misp_connector.delete_event(created_event)
+
     def test_sg_index_user_cannot_see(self):
         org = self.__create_org()
         hidden_sg = self.__create_sharing_group()