diff --git a/includes/api/class-wc-rest-orders-controller.php b/includes/api/class-wc-rest-orders-controller.php
index 20b3df8e18b..02957242ac0 100644
--- a/includes/api/class-wc-rest-orders-controller.php
+++ b/includes/api/class-wc-rest-orders-controller.php
@@ -127,14 +127,20 @@ class WC_REST_Orders_Controller extends WC_REST_Legacy_Orders_Controller {
 	}
 
 	/**
-	 * Get object.
+	 * Get object. Return false if object is not of required type.
 	 *
 	 * @since  3.0.0
 	 * @param  int $id Object ID.
-	 * @return WC_Data
+	 * @return WC_Data|bool
 	 */
 	protected function get_object( $id ) {
-		return wc_get_order( $id );
+		$order = wc_get_order( $id );
+		// In case id is a refund's id (or it's not an order at all), don't expose it via /orders/ path.
+		if ( ! $order || 'shop_order_refund' === $order->get_type() ) {
+			return false;
+		}
+
+		return $order;
 	}
 
 	/**