diff --git a/lib/upload_security.rb b/lib/upload_security.rb
index c00c1376ecf..ecdc3c43b40 100644
--- a/lib/upload_security.rb
+++ b/lib/upload_security.rb
@@ -143,7 +143,7 @@ class UploadSecurity
           LEFT JOIN posts ON upload_references.target_type = 'Post' AND upload_references.target_id = posts.id
         SQL
         .where("posts.deleted_at IS NULL")
-        .order(created_at: :asc)
+        .order("upload_references.created_at ASC, upload_references.id ASC")
         .first
     return false if first_reference.blank?
     PUBLIC_UPLOAD_REFERENCE_TYPES.include?(first_reference.target_type)
diff --git a/spec/lib/upload_security_spec.rb b/spec/lib/upload_security_spec.rb
index 8834ff4fc40..a4feac8646d 100644
--- a/spec/lib/upload_security_spec.rb
+++ b/spec/lib/upload_security_spec.rb
@@ -257,6 +257,18 @@ RSpec.describe UploadSecurity do
           create_secure_post_reference
           expect(subject.should_be_secure?).to eq(false)
         end
+
+        context "when the created_at dates for upload references are identical" do
+          it "orders by id as well and returns false" do
+            now = Time.zone.now
+            custom_emoji = CustomEmoji.create(name: "meme", upload: upload)
+            create_secure_post_reference
+
+            UploadReference.find_by(target: custom_emoji).update!(created_at: now)
+            UploadReference.find_by(target: post_in_secure_context).update!(created_at: now)
+            expect(subject.should_be_secure?).to eq(false)
+          end
+        end
       end
 
       describe "when the upload is first used for a badge" do