diff --git a/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs b/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs
index a9c670b7ad..102bf16224 100644
--- a/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs
+++ b/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs
@@ -160,11 +160,12 @@ public class MemberController : DeliveryApiControllerBase
             claim.SetDestinations(OpenIddictConstants.Destinations.AccessToken);
         }
 
-        if (request.GetScopes().Contains(OpenIddictConstants.Scopes.OfflineAccess))
-        {
-            // "offline_access" scope is required to use refresh tokens
-            memberPrincipal.SetScopes(OpenIddictConstants.Scopes.OfflineAccess);
-        }
+        // "openid" and "offline_access" are the only scopes allowed for members; explicitly ensure we only add those
+        // NOTE: the "offline_access" scope is required to use refresh tokens
+        IEnumerable<string> allowedScopes = request
+            .GetScopes()
+            .Intersect(new[] { OpenIddictConstants.Scopes.OpenId, OpenIddictConstants.Scopes.OfflineAccess });
+        memberPrincipal.SetScopes(allowedScopes);
 
         return new SignInResult(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, memberPrincipal);
     }