diff --git a/.github/workflows/files-external-s3.yml b/.github/workflows/files-external-s3.yml
index bb9292b156f42..5ff3e06561847 100644
--- a/.github/workflows/files-external-s3.yml
+++ b/.github/workflows/files-external-s3.yml
@@ -48,7 +48,7 @@ jobs:
 
     services:
       minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
         env:
           MINIO_ROOT_USER: nextcloud
           MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
diff --git a/.github/workflows/integration-s3-primary.yml b/.github/workflows/integration-s3-primary.yml
index 6c798e7e43b5a..31a7b1386b9bb 100644
--- a/.github/workflows/integration-s3-primary.yml
+++ b/.github/workflows/integration-s3-primary.yml
@@ -53,7 +53,7 @@ jobs:
         ports:
           - 6379:6379/tcp
       minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
         env:
           MINIO_ROOT_USER: nextcloud
           MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
diff --git a/.github/workflows/object-storage-s3.yml b/.github/workflows/object-storage-s3.yml
index 472f22760f5d4..9efec494e280b 100644
--- a/.github/workflows/object-storage-s3.yml
+++ b/.github/workflows/object-storage-s3.yml
@@ -58,7 +58,7 @@ jobs:
         options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
 
       minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
         env:
           MINIO_ROOT_USER: nextcloud
           MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
diff --git a/.github/workflows/phpunit-object-store-primary.yml b/.github/workflows/phpunit-object-store-primary.yml
index 0c8140a96ce2e..c64929ff89b64 100644
--- a/.github/workflows/phpunit-object-store-primary.yml
+++ b/.github/workflows/phpunit-object-store-primary.yml
@@ -60,7 +60,7 @@ jobs:
         options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
 
       minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
         env:
           MINIO_ROOT_USER: nextcloud
           MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
diff --git a/apps/dav/lib/CardDAV/ContactsManager.php b/apps/dav/lib/CardDAV/ContactsManager.php
index 80f852ef634a0..4906e2f7d4ae3 100644
--- a/apps/dav/lib/CardDAV/ContactsManager.php
+++ b/apps/dav/lib/CardDAV/ContactsManager.php
@@ -27,6 +27,7 @@
 
 use OCA\DAV\Db\PropertyMapper;
 use OCP\Contacts\IManager;
+use OCP\IAppConfig;
 use OCP\IL10N;
 use OCP\IURLGenerator;
 
@@ -40,16 +41,20 @@ class ContactsManager {
 	/** @var PropertyMapper */
 	private $propertyMapper;
 
+	/** @var IAppConfig */
+	private $appConfig;
+
 	/**
 	 * ContactsManager constructor.
 	 *
 	 * @param CardDavBackend $backend
 	 * @param IL10N $l10n
 	 */
-	public function __construct(CardDavBackend $backend, IL10N $l10n, PropertyMapper $propertyMapper) {
+	public function __construct(CardDavBackend $backend, IL10N $l10n, PropertyMapper $propertyMapper, IAppConfig $appConfig) {
 		$this->backend = $backend;
 		$this->l10n = $l10n;
 		$this->propertyMapper = $propertyMapper;
+		$this->appConfig = $appConfig;
 	}
 
 	/**
@@ -69,6 +74,11 @@ public function setupContactsProvider(IManager $cm, $userId, IURLGenerator $urlG
 	 * @param IURLGenerator $urlGenerator
 	 */
 	public function setupSystemContactsProvider(IManager $cm, ?string $userId, IURLGenerator $urlGenerator) {
+		$systemAddressBookExposed = $this->appConfig->getValueBool('dav', 'system_addressbook_exposed', true);
+		if (!$systemAddressBookExposed) {
+			return;
+		}
+
 		$addressBooks = $this->backend->getAddressBooksForUser("principals/system/system");
 		$this->register($cm, $addressBooks, $urlGenerator, $userId);
 	}
diff --git a/apps/dav/tests/unit/CardDAV/ContactsManagerTest.php b/apps/dav/tests/unit/CardDAV/ContactsManagerTest.php
index 284e40ffbe2d7..bdbaba923ebfd 100644
--- a/apps/dav/tests/unit/CardDAV/ContactsManagerTest.php
+++ b/apps/dav/tests/unit/CardDAV/ContactsManagerTest.php
@@ -29,6 +29,7 @@
 use OCA\DAV\CardDAV\ContactsManager;
 use OCA\DAV\Db\PropertyMapper;
 use OCP\Contacts\IManager;
+use OCP\IAppConfig;
 use OCP\IL10N;
 use OCP\IURLGenerator;
 use Test\TestCase;
@@ -37,7 +38,8 @@ class ContactsManagerTest extends TestCase {
 	public function test(): void {
 		/** @var IManager | \PHPUnit\Framework\MockObject\MockObject $cm */
 		$cm = $this->getMockBuilder(IManager::class)->disableOriginalConstructor()->getMock();
-		$cm->expects($this->exactly(2))->method('registerAddressBook');
+		$cm->expects($this->exactly(1))->method('registerAddressBook');
+		/** @var IURLGenerator&MockObject $urlGenerator */
 		$urlGenerator = $this->getMockBuilder(IURLGenerator::class)->disableOriginalConstructor()->getMock();
 		/** @var CardDavBackend | \PHPUnit\Framework\MockObject\MockObject $backEnd */
 		$backEnd = $this->getMockBuilder(CardDavBackend::class)->disableOriginalConstructor()->getMock();
@@ -45,9 +47,12 @@ public function test(): void {
 			['{DAV:}displayname' => 'Test address book', 'uri' => 'default'],
 		]);
 		$propertyMapper = $this->createMock(PropertyMapper::class);
+		/** @var IAppConfig&MockObject $appConfig */
+		$appConfig = $this->createMock(IAppConfig::class);
 
+		/** @var IL10N&MockObject $l */
 		$l = $this->createMock(IL10N::class);
-		$app = new ContactsManager($backEnd, $l, $propertyMapper);
+		$app = new ContactsManager($backEnd, $l, $propertyMapper, $appConfig);
 		$app->setupContactsProvider($cm, 'user01', $urlGenerator);
 	}
 }
diff --git a/build/integration/features/contacts-menu.feature b/build/integration/features/contacts-menu.feature
index d058644867c7b..7d6c7d6fa2178 100644
--- a/build/integration/features/contacts-menu.feature
+++ b/build/integration/features/contacts-menu.feature
@@ -192,3 +192,19 @@ Feature: contacts-menu
     And searching for contacts matching with "test"
     # Disabled because it regularly fails on drone:
     # Then the list of searched contacts has "0" contacts
+
+  Scenario: users cannot list other users from the system address book
+    Given user "user0" exists
+    And user "user1" exists
+    And invoking occ with "config:app:set dav system_addressbook_exposed --value false"
+    And Logging in using web as "user1"
+    And searching for contacts matching with ""
+    Then the list of searched contacts has "0" contacts
+    And invoking occ with "config:app:delete dav system_addressbook_exposed"
+
+  Scenario: users can list other users from the system address book
+    Given user "user0" exists
+    And user "user1" exists
+    And Logging in using web as "user1"
+    And searching for contacts matching with ""
+    Then the list of searched contacts has "1" contacts