diff --git a/executor/show_test.go b/executor/show_test.go
index 707b3ce39ab2e..353813fe2c168 100644
--- a/executor/show_test.go
+++ b/executor/show_test.go
@@ -160,6 +160,30 @@ func (s *testSuite2) TestShowGrantsPrivilege(c *C) {
 	tk2.MustQuery("show grants")
 }
 
+func (s *testSuite2) TestShowStatsPrivilege(c *C) {
+	tk := testkit.NewTestKit(c, s.store)
+	tk.MustExec("create user show_stats")
+	tk1 := testkit.NewTestKit(c, s.store)
+	se, err := session.CreateSession4Test(s.store)
+	c.Assert(err, IsNil)
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "show_stats", Hostname: "%"}, nil, nil), IsTrue)
+	tk1.Se = se
+	eqErr := plannercore.ErrDBaccessDenied.GenWithStackByArgs("show_stats", "%", mysql.SystemDB)
+	_, err = tk1.Exec("show stats_meta")
+	c.Assert(err.Error(), Equals, eqErr.Error())
+	_, err = tk1.Exec("SHOW STATS_BUCKETS")
+	c.Assert(err.Error(), Equals, eqErr.Error())
+	_, err = tk1.Exec("SHOW STATS_HEALTHY")
+	c.Assert(err.Error(), Equals, eqErr.Error())
+	_, err = tk1.Exec("SHOW STATS_HISTOGRAMS")
+	c.Assert(err.Error(), Equals, eqErr.Error())
+	tk.MustExec("grant select on mysql.* to show_stats")
+	tk1.MustExec("show stats_meta")
+	tk1.MustExec("SHOW STATS_BUCKETS")
+	tk1.MustExec("SHOW STATS_HEALTHY")
+	tk1.MustExec("SHOW STATS_HISTOGRAMS")
+}
+
 func (s *testSuite2) TestIssue18878(c *C) {
 	errNonexistingGrant := terror.ClassPrivilege.New(mysql.ErrNonexistingGrant, mysql.MySQLErrName[mysql.ErrNonexistingGrant])
 	tk := testkit.NewTestKit(c, s.store)
diff --git a/planner/core/planbuilder.go b/planner/core/planbuilder.go
index 215a77ae486f0..424a1efdb8738 100644
--- a/planner/core/planbuilder.go
+++ b/planner/core/planbuilder.go
@@ -1344,6 +1344,13 @@ func (b *PlanBuilder) buildShow(ctx context.Context, show *ast.ShowStmt) (Plan,
 		case ast.ShowCreateView:
 			err := ErrSpecificAccessDenied.GenWithStackByArgs("SHOW VIEW")
 			b.visitInfo = appendVisitInfo(b.visitInfo, mysql.ShowViewPriv, show.Table.Schema.L, show.Table.Name.L, "", err)
+		case ast.ShowStatsBuckets, ast.ShowStatsHistograms, ast.ShowStatsMeta, ast.ShowStatsHealthy:
+			user := b.ctx.GetSessionVars().User
+			var err error
+			if user != nil {
+				err = ErrDBaccessDenied.GenWithStackByArgs(user.AuthUsername, user.AuthHostname, mysql.SystemDB)
+			}
+			b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SelectPriv, mysql.SystemDB, "", "", err)
 		}
 		p.SetSchema(buildShowSchema(show, isView))
 	}