diff --git a/builtin/logical/pki/backend.go b/builtin/logical/pki/backend.go
index 2b9044db4e16..615380a826fa 100644
--- a/builtin/logical/pki/backend.go
+++ b/builtin/logical/pki/backend.go
@@ -297,7 +297,9 @@ func Backend(conf *logical.BackendConfig) *backend {
 
 	// Delay the first tidy until after we've started up, this will be reset within the initialize function
 	now := time.Now()
+	b.tidyStatusLock.Lock()
 	b.lastAutoTidy = now
+	b.tidyStatusLock.Unlock()
 
 	// Keep track of when this mount was started up.
 	b.mountStartup = now
diff --git a/builtin/logical/pki/path_tidy.go b/builtin/logical/pki/path_tidy.go
index a8971832c2b1..5e7a4b037681 100644
--- a/builtin/logical/pki/path_tidy.go
+++ b/builtin/logical/pki/path_tidy.go
@@ -1724,7 +1724,7 @@ func (b *backend) pathTidyStatusRead(_ context.Context, _ *logical.Request, _ *f
 			"acme_account_safety_buffer":            nil,
 			"cert_metadata_deleted_count":           nil,
 			"cmpv2_nonce_deleted_count":             nil,
-			"last_auto_tidy_finished":               b.getLastAutoTidyTime(),
+			"last_auto_tidy_finished":               b.getLastAutoTidyTimeWithoutLock(), // we acquired the tidyStatusLock above.
 		},
 	}
 
@@ -2126,6 +2126,12 @@ func (b *backend) updateLastAutoTidyTime(sc *storageContext, lastRunTime time.Ti
 func (b *backend) getLastAutoTidyTime() time.Time {
 	b.tidyStatusLock.RLock()
 	defer b.tidyStatusLock.RUnlock()
+	return b.getLastAutoTidyTimeWithoutLock()
+}
+
+// getLastAutoTidyTimeWithoutLock should be used to read from b.lastAutoTidy with the
+// b.tidyStatusLock being acquired, normally use getLastAutoTidyTime
+func (b *backend) getLastAutoTidyTimeWithoutLock() time.Time {
 	return b.lastAutoTidy
 }