diff --git a/src/controllers/SocketController.ts b/src/controllers/SocketController.ts
index c975336f..13bdde1d 100644
--- a/src/controllers/SocketController.ts
+++ b/src/controllers/SocketController.ts
@@ -36,13 +36,26 @@ export class SocketController extends Controller {
     },
     @Request() req: RequestWithUser,
   ) {
+    const toArray = (value?: string | string[]) => {
+      if (Array.isArray(value)) return value.filter(Boolean);
+      if (typeof value === "string" && value.trim()) return [value];
+      return [] as string[];
+    };
+
+    const targetUserIds = toArray(payload.targetUserId);
+    const targetRoles = toArray(payload.roles);
+
+    // If caller provides explicit user targets, do not combine with role targeting.
+    // This prevents accidental broad notifications when roles include common roles.
+    const recipients =
+      targetUserIds.length > 0
+        ? { userId: targetUserIds, roles: [] as string[] }
+        : { userId: [req.user.sub], roles: targetRoles };
+
     sendWebSocket(
       "socket-notification",
       { success: !payload.error, message: payload.message },
-      {
-        roles: payload.roles || req.user.role || [],
-        userId: payload.targetUserId || req.user.sub || [],
-      },
+      recipients,
     );
   }
 }