diff --git a/sapl/base/media.py b/sapl/base/media.py
index 535da47db..058dc87ea 100644
--- a/sapl/base/media.py
+++ b/sapl/base/media.py
@@ -44,6 +44,15 @@ def _safe_resolve(rel_path):
     return abs_path
 
 
+def _is_public_docadm(path):
+    # Documentos Administrativos são sempre salvos na pasta /private,
+    # mas podem ter acesso público liberado como OSTENSIVO ou requerer
+    # autenticacao se for DOC_ADM_RESTRITIVO
+    from sapl.base.models import AppConfig, DOC_ADM_OSTENSIVO
+    return 'documentoadministrativo' in path and \
+           AppConfig.attr('documentos_administrativos') == DOC_ADM_OSTENSIVO
+
+
 def serve_media(request, path):
     """
     Registered in sapl/urls.py for both DEBUG and production.
@@ -53,7 +62,7 @@ def serve_media(request, path):
     abs_path = _safe_resolve(path)
 
     # Auth gate for private documents — redirect to login if anonymous.
-    if path.startswith('sapl/private/'):
+    if path.startswith('sapl/private/') and not _is_public_docadm(path):
         user = getattr(request, 'user', None)
         if user is None or not user.is_authenticated:
             from django.contrib.auth.views import redirect_to_login
diff --git a/sapl/settings.py b/sapl/settings.py
index 7c3d834ce..a44045e99 100644
--- a/sapl/settings.py
+++ b/sapl/settings.py
@@ -431,6 +431,7 @@ RATE_LIMIT_404_THRESHOLD = config('RATE_LIMIT_404_THRESHOLD', default=10, cast=i
 # it is also exempt at the nginx layer (location block with no limit_req).
 RATE_LIMIT_BYPASS_PATHS = [
     r'^/painel/\d+/dados$',
+    r'^/voto-individual/$',
 ]
 
 # API quota — daily and weekly call caps per consumer (Redis-only, no DB migration).