diff --git a/models/perm/access/access.go b/models/perm/access/access.go
index cc8da1a33b..72dcd44b40 100644
--- a/models/perm/access/access.go
+++ b/models/perm/access/access.go
@@ -97,8 +97,8 @@ func refreshAccesses(ctx context.Context, repo *repo_model.Repository, accessMap
 	}
 
 	// Query existing accesses for cross-comparison
-	existingAccesses, err := db.Find[Access](ctx, builder.Eq{"repo_id": repo.ID})
-	if err != nil {
+	var existingAccesses []Access
+	if err := db.GetEngine(ctx).Where(builder.Eq{"repo_id": repo.ID}).Find(&existingAccesses); err != nil {
 		return fmt.Errorf("find existing accesses: %w", err)
 	}
 	existingMap := make(map[int64]perm.AccessMode, len(existingAccesses))
diff --git a/models/perm/access/access_test.go b/models/perm/access/access_test.go
index f01993ab4e..95709584c5 100644
--- a/models/perm/access/access_test.go
+++ b/models/perm/access/access_test.go
@@ -124,3 +124,38 @@ func TestRepository_RecalculateAccesses2(t *testing.T) {
 	assert.NoError(t, err)
 	assert.False(t, has)
 }
+
+func TestRepository_RecalculateAccesses_UpdateMode(t *testing.T) {
+	// Test the update path in refreshAccesses optimization
+	// Scenario: User's access mode changes from Read to Write
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+	assert.NoError(t, repo.LoadOwner(t.Context()))
+
+	// Verify initial access mode
+	initialAccess := &access_model.Access{UserID: 4, RepoID: 4}
+	has, err := db.GetEngine(t.Context()).Get(initialAccess)
+	assert.NoError(t, err)
+	assert.True(t, has)
+	initialMode := initialAccess.Mode
+
+	// Change collaboration mode to trigger update path
+	newMode := perm_model.AccessModeAdmin
+	assert.NotEqual(t, initialMode, newMode, "New mode should differ from initial mode")
+
+	_, err = db.GetEngine(t.Context()).
+		Where("user_id = ? AND repo_id = ?", 4, 4).
+		Cols("mode").
+		Update(&repo_model.Collaboration{Mode: newMode})
+	assert.NoError(t, err)
+
+	// Recalculate accesses - should UPDATE existing access, not delete+insert
+	assert.NoError(t, access_model.RecalculateAccesses(t.Context(), repo))
+
+	// Verify access was updated, not deleted and re-inserted
+	updatedAccess := &access_model.Access{UserID: 4, RepoID: 4}
+	has, err = db.GetEngine(t.Context()).Get(updatedAccess)
+	assert.NoError(t, err)
+	assert.True(t, has, "Access should still exist")
+	assert.Equal(t, newMode, updatedAccess.Mode, "Access mode should be updated to new collaboration mode")
+}