diff --git a/plugins/cue_points/annotation/lib/api/KalturaAnnotation.php b/plugins/cue_points/annotation/lib/api/KalturaAnnotation.php
index 5871e9cc8e4..ed1fe332045 100644
--- a/plugins/cue_points/annotation/lib/api/KalturaAnnotation.php
+++ b/plugins/cue_points/annotation/lib/api/KalturaAnnotation.php
@@ -197,37 +197,47 @@ public function updateEndTimeAndDuration($cuePoint)
 	}
 
 	/*
-     * @param string $cuePointId
-     * @throw KalturaAPIException - when parent annotation doesn't belong to the same entry
-     */
-    public function validateParentId($cuePointId = null)
-    {
+	 * @param string $cuePointId
+	 * @throw KalturaAPIException - when parent annotation doesn't belong to the same entry
+	 */
+	public function validateParentId($cuePointId = null)
+	{
 		//Backward compatibility patch
 		if ($this->isNull('parentId'))
 			$this->parentId = 0;
 
-        if ($this->parentId)
-        {
-            $dbParentCuePoint = CuePointPeer::retrieveByPK($this->parentId);
-            if (!$dbParentCuePoint)
-                throw new KalturaAPIException(KalturaCuePointErrors::PARENT_ANNOTATION_NOT_FOUND, $this->parentId);
+		if ($this->parentId)
+		{
+			$dbParentCuePoint = CuePointPeer::retrieveByPK($this->parentId);
+			if (!$dbParentCuePoint)
+				throw new KalturaAPIException(KalturaCuePointErrors::PARENT_ANNOTATION_NOT_FOUND, $this->parentId);
 
-            if($cuePointId !== null){// update
-                $dbCuePoint = CuePointPeer::retrieveByPK($cuePointId);
-                if(!$dbCuePoint)
-                    throw new KalturaAPIException(KalturaCuePointErrors::INVALID_OBJECT_ID, $cuePointId);
+			if($cuePointId !== null)
+			{// update
+				$dbCuePoint = CuePointPeer::retrieveByPK($cuePointId);
+				if(!$dbCuePoint)
+					throw new KalturaAPIException(KalturaCuePointErrors::INVALID_OBJECT_ID, $cuePointId);
 
-                if($dbCuePoint->isDescendant($this->parentId))
-                    throw new KalturaAPIException(KalturaCuePointErrors::PARENT_ANNOTATION_IS_DESCENDANT, $this->parentId, $dbCuePoint->getId());
+				if($dbCuePoint->isDescendant($this->parentId))
+					throw new KalturaAPIException(KalturaCuePointErrors::PARENT_ANNOTATION_IS_DESCENDANT, $this->parentId, $dbCuePoint->getId());
+
+				if ($dbParentCuePoint->getEntryId() != $dbCuePoint->getEntryId())
+					throw new KalturaAPIException(KalturaCuePointErrors::PARENT_ANNOTATION_DO_NOT_BELONG_TO_THE_SAME_ENTRY);
+			}
+			else
+			{
+				if ($dbParentCuePoint->getEntryId() != $this->entryId)
+					throw new KalturaAPIException(KalturaCuePointErrors::PARENT_ANNOTATION_DO_NOT_BELONG_TO_THE_SAME_ENTRY);
+			}
+		}
+	}
 
-                if ($dbParentCuePoint->getEntryId() != $dbCuePoint->getEntryId())
-                    throw new KalturaAPIException(KalturaCuePointErrors::PARENT_ANNOTATION_DO_NOT_BELONG_TO_THE_SAME_ENTRY);
-            }
-            else
-            {
-                if ($dbParentCuePoint->getEntryId() != $this->entryId)
-                    throw new KalturaAPIException(KalturaCuePointErrors::PARENT_ANNOTATION_DO_NOT_BELONG_TO_THE_SAME_ENTRY);
-            }
-        }
-    }
+	protected function validateEntryEntitlement(entry $dbEntry, $tags)
+	{
+		if (!kEntitlementUtils::isEntryEntitled($dbEntry) && str_contains($tags, 'hotspots'))
+		{
+			KalturaLog::debug("User is not allowed to edit " . get_class($this) . " on entry [$this->entryId]");
+			throw new KalturaAPIException(KalturaErrors::INVALID_USER_ID);
+		}
+	}
 }
diff --git a/plugins/cue_points/base/lib/api/KalturaCuePoint.php b/plugins/cue_points/base/lib/api/KalturaCuePoint.php
index dba6ea85b1b..9019cd78b9d 100644
--- a/plugins/cue_points/base/lib/api/KalturaCuePoint.php
+++ b/plugins/cue_points/base/lib/api/KalturaCuePoint.php
@@ -201,6 +201,13 @@ public function validateEntryId($cuePointId = null)
 			if($this->entryId !== null && $this->entryId != $dbCuePoint->getEntryId())
 				throw new KalturaAPIException(KalturaCuePointErrors::CANNOT_UPDATE_ENTRY_ID);
 		}
+
+		$this->validateEntryEntitlement($dbEntry, $this->tags);
+	}
+
+	protected function validateEntryEntitlement(entry $dbEntry, $tags)
+	{
+
 	}
 	
 	/**
@@ -314,15 +321,28 @@ public function validateForInsert($propertiesToSkip = array())
 	
 	public function validateForUpdate($sourceObject, $propertiesToSkip = array())
 	{
-		if($this->tags !== null)
+		if ($this->tags !== null)
+		{
 			$this->validatePropertyMaxLength("tags", CuePointPeer::MAX_TAGS_LENGTH);
-		
-		if($this->entryId !== null)
+		}
+
+		if ($this->entryId !== null)
+		{
 			$this->validateEntryId($sourceObject->getId());
+		}
+		else
+		{
+			$cuePoint = CuePointPeer::retrieveByPK($sourceObject->getId());
+			$dbEntry = entryPeer::retrieveByPK($cuePoint->getEntryId());
+			$tags = $this->tags ?? $sourceObject->getTags();
+			$this->validateEntryEntitlement($dbEntry, $tags);
+		}
 		
-		if($this->startTime !== null)
+		if ($this->startTime !== null)
+		{
 			$this->validateStartTime($sourceObject->getId());
-					
+		}
+
 		$propertiesToSkip[] = 'cuePointType';
 		return parent::validateForUpdate($sourceObject, $propertiesToSkip);
 	}