diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/security/mask/PIIMasker.java b/openmetadata-service/src/main/java/org/openmetadata/service/security/mask/PIIMasker.java
index e03e2354689f..f2476628ce68 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/security/mask/PIIMasker.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/mask/PIIMasker.java
@@ -302,7 +302,9 @@ public static ResultList<Query> getQueries(
   }
 
   private static boolean hasPiiSensitiveTag(Query query) {
-    return query.getTags().stream().map(TagLabel::getTagFQN).anyMatch(SENSITIVE_PII_TAG::equals);
+    return listOrEmpty(query.getTags()).stream()
+        .map(TagLabel::getTagFQN)
+        .anyMatch(SENSITIVE_PII_TAG::equals);
   }
 
   private static boolean hasPiiSensitiveTag(Column column) {
diff --git a/openmetadata-service/src/test/java/org/openmetadata/service/security/mask/PIIMaskerTest.java b/openmetadata-service/src/test/java/org/openmetadata/service/security/mask/PIIMaskerTest.java
index ef1990f1210d..5bb764bd6ea1 100644
--- a/openmetadata-service/src/test/java/org/openmetadata/service/security/mask/PIIMaskerTest.java
+++ b/openmetadata-service/src/test/java/org/openmetadata/service/security/mask/PIIMaskerTest.java
@@ -263,6 +263,26 @@ void getQueriesAndMaskUserHideSensitiveValuesForUnauthorizedUsers() {
     assertEquals(PIIMasker.MASKED_MAIL, maskedUser.getEmail());
   }
 
+  @Test
+  void getQueriesHandlesNullTagsForUnauthorizedUsers() {
+    Authorizer authorizer = mock(Authorizer.class);
+    SecurityContext securityContext = mock(SecurityContext.class);
+
+    EntityReference owner = entityReference(Entity.USER, "owner");
+
+    Query query = new Query().withQuery("select email from customer").withOwners(List.of(owner));
+
+    query.setTags(null);
+
+    ResultList<Query> queries = new ResultList<>(new ArrayList<>(List.of(query)));
+
+    when(authorizer.authorizePII(securityContext, List.of(owner))).thenReturn(false);
+
+    ResultList<Query> result = PIIMasker.getQueries(queries, authorizer, securityContext);
+
+    assertEquals("select email from customer", result.getData().get(0).getQuery());
+  }
+
   @Test
   void getQueriesAndMaskUserLeaveAuthorizedValuesUntouched() {
     Authorizer authorizer = mock(Authorizer.class);