diff --git a/CHANGELOG.md b/CHANGELOG.md
index d92de99..8ade0e5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## Changes 10/24/2025 (v1.6.5)
+
+release(v1.6.5): fix PHP warning and upload-flag check in capabilities.php
+
+- Fix undefined variable: use $disableUpload consistently
+- Harden flag read: (bool)($perms['disableUpload'] ?? false)
+- Prevents warning and ensures Upload capability is computed correctly
+
+---
+
 ## Changes 10/24/2025 (v1.6.4)
 
 release(v1.6.4): runtime version injection + CI bump/sync; caching tweaks
diff --git a/public/api/folder/capabilities.php b/public/api/folder/capabilities.php
index 89cb333..7e9a4d6 100644
--- a/public/api/folder/capabilities.php
+++ b/public/api/folder/capabilities.php
@@ -153,7 +153,7 @@ if ($folder !== 'root') {
 $perms       = loadPermsFor($username);
 $isAdmin     = ACL::isAdmin($perms);
 $readOnly    = !empty($perms['readOnly']);
-$disableUp   = !empty($perms['disableUpload']);
+$disableUpload = (bool)($perms['disableUpload'] ?? false);
 $inScope     = inUserFolderScope($folder, $username, $perms, $isAdmin);
 
 // --- ACL base abilities ---
@@ -213,7 +213,7 @@ echo json_encode([
   'flags'   => [
     //'folderOnly'    => !empty($perms['folderOnly']) || !empty($perms['userFolderOnly']) || !empty($perms['UserFolderOnly']),
     'readOnly'      => $readOnly,
-    'disableUpload' => $disableUp,
+    'disableUpload' => $disableUpload,
   ],
   'owner'        => $owner,