diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
index ded75f57d874..9da21e855585 100644
--- a/builtin/logical/transit/path_keys.go
+++ b/builtin/logical/transit/path_keys.go
@@ -260,9 +260,10 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 	if p == nil {
 		return nil, fmt.Errorf("error generating key: returned policy was nil")
 	}
-	if b.System().CachingDisabled() {
-		p.Unlock()
+	if !b.System().CachingDisabled() {
+		p.Lock(true)
 	}
+	defer p.Unlock()
 
 	resp, err := b.formatKeyPolicy(p, nil)
 	if err != nil {
diff --git a/changelog/28839.txt b/changelog/28839.txt
new file mode 100644
index 000000000000..b719e5ea470c
--- /dev/null
+++ b/changelog/28839.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Fix a race in which responses from the key update api could contain results from another subsequent update
+```