diff --git a/ee/app/graphql/ee/types/mutation_type.rb b/ee/app/graphql/ee/types/mutation_type.rb
index 69a63708f2ed5837f852d976778279e33970c093..60c940b135e041853739df0d6b60403e45923780 100644
--- a/ee/app/graphql/ee/types/mutation_type.rb
+++ b/ee/app/graphql/ee/types/mutation_type.rb
@@ -118,7 +118,8 @@ def self.authorization_scopes
         mount_mutation ::Mutations::Vulnerabilities::CreateExternalIssueLink
         mount_mutation ::Mutations::Vulnerabilities::DestroyExternalIssueLink
         mount_mutation ::Mutations::Vulnerabilities::BulkSeverityOverride, scopes: [:api, :read_api, :ai_workflows]
-        mount_mutation ::Mutations::Vulnerabilities::CreateIssue, experiment: { milestone: '17.9' }
+        mount_mutation ::Mutations::Vulnerabilities::CreateIssue, experiment: { milestone: '17.9' },
+          scopes: [:api, :read_api, :ai_workflows]
         mount_mutation ::Mutations::Vulnerabilities::RefreshVulnerabilityFindingTokenStatus
         mount_mutation ::Mutations::Boards::UpdateEpicUserPreferences,
           deprecated: { reason: 'Replaced by WorkItem type', milestone: '17.5' }
diff --git a/ee/app/graphql/mutations/vulnerabilities/create_issue.rb b/ee/app/graphql/mutations/vulnerabilities/create_issue.rb
index 2865f9643145d623ae80c3c136d038a148c7d8d3..ef113b1a1d2ae160271b090c7e429fb8622eefd6 100644
--- a/ee/app/graphql/mutations/vulnerabilities/create_issue.rb
+++ b/ee/app/graphql/mutations/vulnerabilities/create_issue.rb
@@ -26,6 +26,10 @@ class CreateIssue < BaseMutation
         validates: { length: { minimum: 1, maximum: MAX_VULNERABILITIES } },
         description: "IDs of vulnerabilities to link to the given issue.  Up to #{MAX_VULNERABILITIES} can be provided."
 
+      def self.authorization_scopes
+        [:api, :read_api, :ai_workflows]
+      end
+
       def resolve(vulnerability_ids:, project:)
         project = authorized_find!(id: project)
 
diff --git a/ee/spec/graphql/ee/types/mutation_type_spec.rb b/ee/spec/graphql/ee/types/mutation_type_spec.rb
index 6db0c467c8182e3fe77183d2e7b4f3d110a8a067..dc1f05a8440bc9578beccbf318e770f1ad737ea0 100644
--- a/ee/spec/graphql/ee/types/mutation_type_spec.rb
+++ b/ee/spec/graphql/ee/types/mutation_type_spec.rb
@@ -63,4 +63,11 @@ def get_field(name)
       expect(mutation.instance_variable_get(:@scopes)).to include(:api, :read_api, :ai_workflows)
     end
   end
+
+  describe 'vulnerability create issue mutation scopes' do
+    it 'includes api, read_api, ai_workflows scopes' do
+      mutation = described_class.fields['vulnerabilitiesCreateIssue']
+      expect(mutation.instance_variable_get(:@scopes)).to include(:api, :read_api, :ai_workflows)
+    end
+  end
 end