diff --git a/CHANGES.rst b/CHANGES.rst
index 7850459f0..708dae83a 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -5,6 +5,8 @@ Version 3.1.4
 
 Unreleased
 
+-   The debugger pin fails after 10 attempts instead of 11. :pr:`3020`
+
 
 Version 3.1.3
 -------------
diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
index 5dc0486f0..afc6dbbce 100644
--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
@@ -441,6 +441,11 @@ def check_pin_trust(self, environ: WSGIEnvironment) -> bool | None:
         """
         if self.pin is None:
             return True
+
+        # If we failed too many times, then we're locked out.
+        if self._failed_pin_auth.value >= 10:
+            return False
+
         val = parse_cookie(environ).get(self.pin_cookie_name)
         if not val or "|" not in val:
             return False
@@ -490,7 +495,7 @@ def pin_auth(self, request: Request) -> Response:
             auth = True
 
         # If we failed too many times, then we're locked out.
-        elif self._failed_pin_auth.value > 10:
+        elif self._failed_pin_auth.value >= 10:
             exhausted = True
 
         # Otherwise go through pin based authentication