diff --git a/vault/dynamic_system_view.go b/vault/dynamic_system_view.go
index 1cd74af4e583..18c2d2518aea 100644
--- a/vault/dynamic_system_view.go
+++ b/vault/dynamic_system_view.go
@@ -110,11 +110,13 @@ func (d dynamicSystemView) SudoPrivilege(ctx context.Context, path string, token
 
 	// The operation type isn't important here as this is run from a path the
 	// user has already been given access to; we only care about whether they
-	// have sudo
+	// have sudo. Note that we use root context because the path that comes in
+	// must be fully-qualified already so we don't want AllowOperation to
+	// prepend a namespace prefix onto it.
 	req := new(logical.Request)
 	req.Operation = logical.ReadOperation
 	req.Path = path
-	authResults := acl.AllowOperation(ctx, req, true)
+	authResults := acl.AllowOperation(namespace.RootContext(ctx), req, true)
 	return authResults.RootPrivs
 }