diff --git a/src/app/api/menu/route.ts b/src/app/api/menu/route.ts
index 80500ef..0632f30 100644
--- a/src/app/api/menu/route.ts
+++ b/src/app/api/menu/route.ts
@@ -11,9 +11,9 @@ export async function POST(request: NextRequest) {
 
   const body = await request.json();
   const menuObjId = body.MENUOBJID || "";
-  const isAdmin = !!user.isAdmin;
 
-  // super admin = 모든 메뉴, 일반 사용자 = 권한 그룹 매핑된 메뉴만 (자식이 있으면 부모도 자동 노출)
+  // 로그인한 사용자의 권한 그룹에 매핑된 메뉴만 노출 (자식이 권한에 있으면 부모 자동 표시).
+  // isAdmin 같은 백도어는 두지 않음 — 모든 사용자는 권한 그룹 매핑대로 동적으로 메뉴를 받는다.
   const rows = await queryRows(
     `SELECT MI.OBJID::text AS "objid",
             MI.MENU_NAME_KOR AS "menuNameKor",
@@ -27,12 +27,11 @@ export async function POST(request: NextRequest) {
        AND (MI.PARENT_OBJ_ID = $1::numeric
             OR MI.PARENT_OBJ_ID IN (SELECT OBJID FROM MENU_INFO WHERE PARENT_OBJ_ID = $1::numeric AND COALESCE(STATUS, '') = 'active'))
        AND (
-         $2::boolean = true
-         OR MI.OBJID IN (
+         MI.OBJID IN (
            SELECT ASM.menu_objid
            FROM authority_sub_user ASU
            JOIN authority_sub_menu ASM ON ASM.master_objid = ASU.master_objid
-           WHERE ASU.user_id = $3::text
+           WHERE ASU.user_id = $2::text
          )
          OR EXISTS (
            SELECT 1 FROM menu_info CH
@@ -41,12 +40,12 @@ export async function POST(request: NextRequest) {
                SELECT ASM.menu_objid
                FROM authority_sub_user ASU
                JOIN authority_sub_menu ASM ON ASM.master_objid = ASU.master_objid
-               WHERE ASU.user_id = $3::text
+               WHERE ASU.user_id = $2::text
              )
          )
        )
      ORDER BY MI.SEQ`,
-    [menuObjId, isAdmin, user.userId]
+    [menuObjId, user.userId]
   );
 
   return NextResponse.json({ RESULT: rows });