diff --git a/package.json b/package.json
index 591b71ba5..26cd7428f 100644
--- a/package.json
+++ b/package.json
@@ -40,6 +40,7 @@
     "bluebird": "^2.9.14",
     "body-parser": "^1.13.3",
     "connect-flash": "^0.1.1",
+    "cookie": "^0.2.3",
     "cookie-parser": "^1.3.5",
     "cron": "^1.0.9",
     "d3-time-format": "^0.1.3",
diff --git a/src/index.js b/src/index.js
index e6ec98481..74a7e627a 100644
--- a/src/index.js
+++ b/src/index.js
@@ -45,7 +45,8 @@ import connectFlash from 'connect-flash'
 import cookieParser from 'cookie-parser'
 import expressSession from 'express-session'
 import passport from 'passport'
-import {Strategy as LocalStrategy} from 'passport-local'
+import { parse as parseCookies } from 'cookie'
+import { Strategy as LocalStrategy } from 'passport-local'
 
 // ===================================================================
 
@@ -489,6 +490,16 @@ const setUpConsoleProxy = (webServer, xo) => {
 
     const [, id] = matches
     try {
+      // TODO: factorize permissions checking in an Express middleware.
+      {
+        const { token } = parseCookies(req.headers.cookie)
+
+        const user = await xo.authenticateUser({ token })
+        if (!await xo.hasPermissions(user.id, [ [ id, 'operate' ] ])) { // eslint-disable-line space-before-keywords
+          throw new InvalidCredential()
+        }
+      }
+
       const xapi = xo.getXAPI(id, ['VM', 'VM-controller'])
       const vmConsole = xapi.getVmConsole(id)