diff --git a/app/controllers/admin/variant_overrides_controller.rb b/app/controllers/admin/variant_overrides_controller.rb
index de58a3b514..ba591bd967 100644
--- a/app/controllers/admin/variant_overrides_controller.rb
+++ b/app/controllers/admin/variant_overrides_controller.rb
@@ -79,6 +79,14 @@ module Admin
         joins(variant: :product).
         preload(variant: :product).
         for_hubs(params[:hub_id] || @hubs)
+
+      return @variant_overrides unless params.key?(:variant_overrides)
+
+      @variant_overrides.where(id: modified_variant_overrides_ids)
+    end
+
+    def modified_variant_overrides_ids
+      variant_overrides_params.map { |vo| vo[:id] }
     end
 
     def collection_actions
diff --git a/spec/controllers/admin/variant_overrides_controller_spec.rb b/spec/controllers/admin/variant_overrides_controller_spec.rb
index 1dca6eeec6..ad2adcc6d7 100644
--- a/spec/controllers/admin/variant_overrides_controller_spec.rb
+++ b/spec/controllers/admin/variant_overrides_controller_spec.rb
@@ -36,6 +36,13 @@ describe Admin::VariantOverridesController, type: :controller do
             spree_put :bulk_update, format: format, variant_overrides: variant_override_params
             expect(response).to redirect_to unauthorized_path
           end
+
+          it 'only authorizes the updated variant overrides' do
+            other_variant_override = create(:variant_override, hub: hub, variant: create(:variant))
+            expect(controller).not_to receive(:authorize!).with(:update, other_variant_override)
+
+            spree_put :bulk_update, format: format, variant_overrides: variant_override_params
+          end
         end
 
         context "and the producer has granted VO permission" do