diff --git a/engines/registry/app/models/access_scope.rb b/engines/registry/app/models/access_scope.rb
index 7e5c7b7ad..511dbbca5 100644
--- a/engines/registry/app/models/access_scope.rb
+++ b/engines/registry/app/models/access_scope.rb
@@ -87,7 +87,7 @@ def allowed_paths(system = nil)
     allowed_product_classes = (active_product_classes & access_policies_yml.keys)
     if system && system.hybrid?
       # if the system is hybrid => check if the non free product subscription is still valid for accessing images
-      allowed_non_free_product_classes = allowed_product_classes.map { |s| s unless Product.find_by(product_class: s).free? }
+      allowed_non_free_product_classes = allowed_product_classes.map { |s| s unless Product.find_by(product_class: s, product_type: 'extension').free? }.compact
       unless allowed_non_free_product_classes.empty?
         auth_header = {
           'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(system.login, system.password)
diff --git a/engines/registry/spec/app/models/access_scope_spec.rb b/engines/registry/spec/app/models/access_scope_spec.rb
index 9b0f6dff0..1448388e7 100644
--- a/engines/registry/spec/app/models/access_scope_spec.rb
+++ b/engines/registry/spec/app/models/access_scope_spec.rb
@@ -194,7 +194,7 @@
           system
         end
         let(:product1) do
-          product = FactoryBot.create(:product, :with_mirrored_repositories)
+          product = FactoryBot.create(:product, :with_mirrored_repositories, :extension)
           product.repositories.where(enabled: false).update(mirroring_enabled: false)
           product.update(product_class: 'SLES15-SP4-LTSS-X86')
           product