diff --git a/changes/40887-fix-file-permission-self-heal b/changes/40887-fix-file-permission-self-heal
new file mode 100644
index 0000000000..913df73c12
--- /dev/null
+++ b/changes/40887-fix-file-permission-self-heal
@@ -0,0 +1 @@
+* Fixed `secure.OpenFile` to self-heal incorrect file permissions via `chmod` instead of returning a fatal error.
diff --git a/orbit/changes/40887-fix-file-permission-self-heal b/orbit/changes/40887-fix-file-permission-self-heal
new file mode 100644
index 0000000000..c866e35428
--- /dev/null
+++ b/orbit/changes/40887-fix-file-permission-self-heal
@@ -0,0 +1 @@
+* Fixed orbit crash loop when `updates-metadata.json` has incorrect file permissions by self-healing via `chmod` instead of fatally erroring.
diff --git a/pkg/secure/secure.go b/pkg/secure/secure.go
index f89db0efd5..9bc9c714ad 100644
--- a/pkg/secure/secure.go
+++ b/pkg/secure/secure.go
@@ -66,8 +66,10 @@ func checkPermPath(path string, perm os.FileMode) error {
 
 func checkPermFile(filePath string, perm os.FileMode) error {
 	if f, err := os.Stat(filePath); !errors.Is(err, os.ErrNotExist) && f != nil && f.Mode() != perm {
-		return fmt.Errorf(
-			"File %s already exists with mode %o instead of the expected %o", filePath, f.Mode(), perm)
+		if chmodErr := os.Chmod(filePath, perm); chmodErr != nil {
+			return fmt.Errorf(
+				"file %s has mode %o instead of the expected %o and chmod failed: %w", filePath, f.Mode(), perm, chmodErr)
+		}
 	}
 	if err := checkPermPath(path.Dir(filePath), perm); err != nil {
 		return err
diff --git a/pkg/secure/secure_test.go b/pkg/secure/secure_test.go
index 984a2ed923..7b68ae13a1 100644
--- a/pkg/secure/secure_test.go
+++ b/pkg/secure/secure_test.go
@@ -44,13 +44,16 @@ func TestOpenFile(t *testing.T) {
 	require.NotNil(t, fd)
 	require.NoError(t, fd.Close())
 
-	_, err = OpenFile(filePath, os.O_CREATE|os.O_WRONLY, 0677)
-	require.Error(t, err)
-	expectedFileErr := fmt.Sprintf(
-		"File %s already exists with mode 755 instead of the expected %o", filePath, 0677)
-	require.Equal(t, expectedFileErr, err.Error())
+	// Opening with a different perm should self-heal via chmod rather than error.
+	fd, err = OpenFile(filePath, os.O_CREATE|os.O_WRONLY, 0600)
+	require.NoError(t, err)
+	fd.Close()
+	info, err := os.Stat(filePath)
+	require.NoError(t, err)
+	require.Equal(t, os.FileMode(0600), info.Mode())
 
-	fd, err = OpenFile(filePath, os.O_CREATE|os.O_WRONLY, 0755)
+	// Re-open with the now-correct mode still works.
+	fd, err = OpenFile(filePath, os.O_CREATE|os.O_WRONLY, 0600)
 	require.NoError(t, err)
 	fd.Close()
 }