diff --git a/backend/src/db/migrations/20260122153000-ensure-public-permissions-fix.js b/backend/src/db/migrations/20260122153000-ensure-public-permissions-fix.js
new file mode 100644
index 0000000..698cb74
--- /dev/null
+++ b/backend/src/db/migrations/20260122153000-ensure-public-permissions-fix.js
@@ -0,0 +1,32 @@
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    // 1. Ensure the join table exists (idempotent check)
+    await queryInterface.sequelize.query(`
+      CREATE TABLE IF NOT EXISTS "rolesPermissionsPermissions" (
+        "createdAt" timestamp with time zone NOT NULL,
+        "updatedAt" timestamp with time zone NOT NULL,
+        "roles_permissionsId" uuid NOT NULL,
+        "permissionId" uuid NOT NULL,
+        PRIMARY KEY ("roles_permissionsId", "permissionId")
+      );
+    `);
+
+    // 2. Ensure permissions exist (idempotent insert)
+    // We select the IDs of the required permissions and the Public role, then insert into the join table.
+    await queryInterface.sequelize.query(`
+      INSERT INTO "rolesPermissionsPermissions" ("createdAt", "updatedAt", "roles_permissionsId", "permissionId")
+      SELECT NOW(), NOW(), r.id, p.id
+      FROM roles r, permissions p
+      WHERE r.name = 'Public' AND p.name IN ('READ_COURSES', 'READ_USERS', 'READ_CATEGORIES', 'READ_LESSONS')
+      ON CONFLICT ("roles_permissionsId", "permissionId") DO NOTHING;
+    `);
+  },
+
+  async down(queryInterface, Sequelize) {
+    // We generally don't want to remove permissions in a 'fix' migration rollback 
+    // as it might inadvertently remove permissions granted by the original migration or manual fixes.
+    // However, strictly speaking, we could reverse the insert.
+    // For safety in this specific context (getting prod to work), we'll leave it empty 
+    // or just rely on the previous migration's down logic if needed.
+  }
+};