diff --git a/backend/src/services/audit.service.ts b/backend/src/services/audit.service.ts
index 4a68131..e6f0b82 100644
--- a/backend/src/services/audit.service.ts
+++ b/backend/src/services/audit.service.ts
@@ -241,7 +241,17 @@ class AuditService {
       if (admins.length === 0) return;
 
       const titel = sensitiveActions[entry.action] || 'Benutzer-Änderung';
-      const nachricht = `${entry.action} auf ${entry.resource_type}${entry.resource_id ? ' ' + entry.resource_id : ''} durch ${entry.user_email ?? 'System'}`;
+
+      let nachricht: string;
+      if (entry.action === 'PERMISSION_DENIED') {
+        const meta = entry.metadata as Record<string, unknown> | undefined;
+        const perm = meta?.required_permission ?? '?';
+        const path = meta?.attempted_path ?? '';
+        const method = meta?.attempted_method ?? '';
+        nachricht = `${entry.user_email ?? 'Unbekannt'}: ${method} ${path} — benötigt "${perm}"`;
+      } else {
+        nachricht = `${entry.action} auf ${entry.resource_type}${entry.resource_id ? ' ' + entry.resource_id : ''} durch ${entry.user_email ?? 'System'}`;
+      }
 
       for (const admin of admins) {
         // Don't notify the admin about their own actions