diff --git a/ee/app/finders/approval_rules/group_finder.rb b/ee/app/finders/approval_rules/group_finder.rb
index 040e06e61364ff312ccb0706e90eed2eeb64825a..55272ba5f1a286ab5511b583f8f231a62976416c 100644
--- a/ee/app/finders/approval_rules/group_finder.rb
+++ b/ee/app/finders/approval_rules/group_finder.rb
@@ -15,8 +15,12 @@ def initialize(rule, user)
     def visible_groups
       if Feature.enabled?(:subgroups_approval_rules, rule.project)
         strong_memoize(:visible_groups) do
-          Preloaders::GroupPolicyPreloader.new(groups, current_user).execute
-          groups.select { |group| current_user.can?(:read_group, group) }
+          if current_user
+            Preloaders::GroupPolicyPreloader.new(groups, current_user).execute
+            groups.select { |group| current_user.can?(:read_group, group) }
+          else
+            groups.public_to_user
+          end
         end
       else
         @visible_groups ||= groups.public_or_visible_to_user(current_user)
diff --git a/ee/spec/finders/approval_rules/group_finder_spec.rb b/ee/spec/finders/approval_rules/group_finder_spec.rb
index 25c361b022f48d4d4499201e3e501560bdbd5805..f3e107c6a89d8adb8ba8948cdb5b2b641f68e186 100644
--- a/ee/spec/finders/approval_rules/group_finder_spec.rb
+++ b/ee/spec/finders/approval_rules/group_finder_spec.rb
@@ -44,6 +44,20 @@
       end
     end
 
+    context 'when user is not authorized' do
+      subject { described_class.new(rule, nil) }
+
+      it 'returns only public groups' do
+        expect(subject.visible_groups).to contain_exactly(
+          public_group
+        )
+        expect(subject.hidden_groups).to contain_exactly(
+          private_accessible_group, private_accessible_subgroup, private_inaccessible_group
+        )
+        expect(subject.contains_hidden_groups?).to eq(true)
+      end
+    end
+
     context 'avoid N+1 query', :request_store do
       it 'avoids N+1 database queries' do
         rule.reload