diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
index 843ecc405..0890c3ab7 100644
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -7,6 +7,8 @@
 
 > Users must be able to say: “Nice enhancement, I'm eager to test it”
 
+- [VIF] To edit MAC address on a VIF, user has to be operator of the VIF and administrator of its network [#4700](https://github.com/vatesfr/xen-orchestra/issues/4700) (PR [#5631](https://github.com/vatesfr/xen-orchestra/pull/5631))
+
 ### Bug fixes
 
 > Users must be able to say: “I had this issue, happy to know it's fixed”
@@ -31,4 +33,4 @@
 > In case of conflict, the highest (lowest in previous list) `$version` wins.
 
 - xo-server minor
-- xo-web patch
+- xo-web patch
\ No newline at end of file
diff --git a/packages/xo-server/src/api/vif.js b/packages/xo-server/src/api/vif.js
index a3d93a607..03daaf9fd 100644
--- a/packages/xo-server/src/api/vif.js
+++ b/packages/xo-server/src/api/vif.js
@@ -89,6 +89,9 @@ export async function set({
 
   if (isNetworkChanged || mac) {
     const networkId = network?.id
+    if (mac !== undefined && this.user.permission !== 'admin') {
+      await this.checkPermissions(this.user.id, [[networkId ?? vif.$network, 'administrate']])
+    }
     if (networkId !== undefined && this.user.permission !== 'admin') {
       if (resourceSet !== undefined) {
         await this.checkResourceSetConstraints(resourceSet, this.user.id, [networkId])