diff --git a/agent/client_overview.php b/agent/client_overview.php
index 82768fdc..8ae1c8b0 100644
--- a/agent/client_overview.php
+++ b/agent/client_overview.php
@@ -467,7 +467,7 @@ $sql_asset_retired = mysqli_query(
                                 </td>
                                 <td title="Expires at <?php echo $item_expire_at; ?>">Expires <?php echo $item_expire_at_human ?></td>
                                 <td title="Deactivate Link">
-                                    <a class="text-danger confirm-link" href="post.php?deactivate_shared_item=<?php echo $item_id; ?>">
+                                    <a class="text-danger confirm-link" href="post.php?deactivate_shared_item=<?php echo $item_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                         <i class="fas fa-fw fa-calendar-times mr-2"></i>
                                     </a>
                                 </td>
diff --git a/post/misc.php b/post/misc.php
index 47238dd3..36511d67 100644
--- a/post/misc.php
+++ b/post/misc.php
@@ -63,6 +63,8 @@ if (isset($_GET['dismiss_all_notifications'])) {
 // Revoke sharing (sharing itself is done via ajax.php)
 if (isset($_GET['deactivate_shared_item'])) {
 
+    validateCSRFToken($_GET['csrf_token']);
+
     $item_id = intval($_GET['deactivate_shared_item']);
 
     // Get details of the shared link
@@ -72,6 +74,8 @@ if (isset($_GET['deactivate_shared_item'])) {
     $item_related_id = intval($row['item_related_id']);
     $client_id = intval($row['item_client_id']);
 
+    enforceClientAccess();
+
     // Deactivate item id
     mysqli_query($mysqli, "DELETE FROM shared_items WHERE item_id = $item_id");