diff --git a/src/controllers/08-credit-note-controller.ts b/src/controllers/08-credit-note-controller.ts
index 3be267d..e4b37ff 100644
--- a/src/controllers/08-credit-note-controller.ts
+++ b/src/controllers/08-credit-note-controller.ts
@@ -3,6 +3,7 @@ import {
   Controller,
   Delete,
   Get,
+  Head,
   Path,
   Post,
   Put,
@@ -23,6 +24,7 @@ import {
 } from "../services/permission";
 import HttpError from "../interfaces/http-error";
 import HttpStatus from "../interfaces/http-status";
+import { deleteFile, fileLocation, getFile, getPresigned, listFile, setFile } from "../utils/minio";
 import { notFoundError } from "../utils/error";
 import { CreditNotePaybackType, CreditNoteStatus, Prisma } from "@prisma/client";
 import { queryOrNot } from "../utils/relation";
@@ -548,3 +550,64 @@ export class CreditNoteActionController extends Controller {
     });
   }
 }
+
+@Route("api/v1/credit-note/{creditNoteId}")
+@Tags("Credit Note")
+export class CreditNoteAttachmentController extends Controller {
+  async #checkPermission(user: RequestWithUser["user"], id: string) {
+    const creditNoteData = await prisma.creditNote.findFirst({
+      where: { id },
+      include: {
+        requestWork: true,
+        quotation: {
+          include: {
+            registeredBranch: { include: branchRelationPermInclude(user) },
+          },
+        },
+      },
+    });
+    if (!creditNoteData) throw notFoundError("Credit Note");
+    await permissionCheck(user, creditNoteData.quotation.registeredBranch);
+    return creditNoteData;
+  }
+
+  @Get("attachment")
+  @Security("keycloak")
+  async listAttachment(@Request() req: RequestWithUser, @Path() creditNoteId: string) {
+    await this.#checkPermission(req.user, creditNoteId);
+    return await listFile(fileLocation.creditNote.attachment(creditNoteId));
+  }
+
+  @Get("attachment/{name}")
+  @Security("keycloak")
+  async getAttachment(@Path() creditNoteId: string, @Path() name: string) {
+    return await getFile(fileLocation.creditNote.attachment(creditNoteId, name));
+  }
+
+  @Head("attachment/{name}")
+  async headAttachment(@Path() creditNoteId: string, @Path() name: string) {
+    return await getPresigned("head", fileLocation.creditNote.attachment(creditNoteId, name));
+  }
+
+  @Put("attachment/{name}")
+  @Security("keycloak")
+  async putAttachment(
+    @Request() req: RequestWithUser,
+    @Path() creditNoteId: string,
+    @Path() name: string,
+  ) {
+    await this.#checkPermission(req.user, creditNoteId);
+    return await setFile(fileLocation.creditNote.attachment(creditNoteId, name));
+  }
+
+  @Delete("attachment/{name}")
+  @Security("keycloak")
+  async delAttachment(
+    @Request() req: RequestWithUser,
+    @Path() creditNoteId: string,
+    @Path() name: string,
+  ) {
+    await this.#checkPermission(req.user, creditNoteId);
+    return await deleteFile(fileLocation.creditNote.attachment(creditNoteId, name));
+  }
+}
diff --git a/src/utils/minio.ts b/src/utils/minio.ts
index 4a2cfef..7ec0a3b 100644
--- a/src/utils/minio.ts
+++ b/src/utils/minio.ts
@@ -112,4 +112,7 @@ export const fileLocation = {
   task: {
     attachment: (taskId: string, name?: string) => `task/attachment-${taskId}/${name || ""}`,
   },
+  creditNote: {
+    attachment: (taskId: string, name?: string) => `credit-note/attachment-${taskId}/${name || ""}`,
+  },
 };