diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index d970991ff0f..86e6e58762b 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -2,6 +2,7 @@
 
 require "mini_mime"
 require_dependency 'upload_creator'
+require_dependency "file_store/local_store"
 
 class UploadsController < ApplicationController
   requires_login except: [:show]
@@ -67,10 +68,14 @@ class UploadsController < ApplicationController
     return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
 
     RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
-      return render_404 unless Discourse.store.internal?
       return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
 
       if upload = Upload.find_by(sha1: params[:sha]) || Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])
+        unless Discourse.store.internal?
+          local_store = FileStore::LocalStore.new
+          return render_404 unless local_store.has_been_uploaded?(upload.url)
+        end
+
         opts = {
           filename: upload.original_filename,
           content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type,
diff --git a/spec/requests/uploads_controller_spec.rb b/spec/requests/uploads_controller_spec.rb
index 9df65a54579..d4f5254db9e 100644
--- a/spec/requests/uploads_controller_spec.rb
+++ b/spec/requests/uploads_controller_spec.rb
@@ -214,13 +214,24 @@ describe UploadsController do
       upload
     end
 
-    it "returns 404 when using external storage" do
-      SiteSetting.enable_s3_uploads = true
-      SiteSetting.s3_access_key_id = "fakeid7974664"
-      SiteSetting.s3_secret_access_key = "fakesecretid7974664"
+    context "when using external storage" do
+      before do
+        @upload = upload_file("small.pdf", "pdf")
+        SiteSetting.enable_s3_uploads = true
+        SiteSetting.s3_access_key_id = "fakeid7974664"
+        SiteSetting.s3_secret_access_key = "fakesecretid7974664"
+      end
 
-      get "/uploads/#{site}/#{sha}.pdf"
-      expect(response.response_code).to eq(404)
+      it "returns 404" do
+        @upload.update_column(:url, "//bucket.s3.amazonaws.com/#{@upload.url}")
+        get "/uploads/#{site}/#{@upload.sha1}.#{@upload.extension}"
+        expect(response.response_code).to eq(404)
+      end
+
+      it "returns upload if url not migrated" do
+        get "/uploads/#{site}/#{@upload.sha1}.#{@upload.extension}"
+        expect(response.status).to eq(200)
+      end
     end
 
     it "returns 404 when the upload doesn't exist" do