diff --git a/CHANGELOG.md b/CHANGELOG.md
index fba9fb49..7e03b8bf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
 * elasticsearch : use logrotate for garbage collector logs instead of breaking compression cron
 * docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default
+* haproxy: fix missing admin ACL in stats module access permissions
 
 ### Removed
 
diff --git a/haproxy/templates/haproxy.default.cfg.j2 b/haproxy/templates/haproxy.default.cfg.j2
index e33d111a..0f13e54d 100644
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@@ -63,7 +63,7 @@ listen stats
     acl stats_users http_auth(stats_users)
     stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
 {% else %}
-    stats http-request deny if !stats_access_ips
+    stats http-request deny if !stats_access_ips !stats_admin_ips
 {% endif %}
 
     http-request set-log-level silent