diff --git a/vault/plugincatalog/plugin_catalog.go b/vault/plugincatalog/plugin_catalog.go
index d7d9b3a0c7f8e..6430cd27d09a7 100644
--- a/vault/plugincatalog/plugin_catalog.go
+++ b/vault/plugincatalog/plugin_catalog.go
@@ -972,7 +972,11 @@ func (c *PluginCatalog) setInternal(ctx context.Context, plugin pluginutil.SetPl
 	var enterprise bool
 
 	if plugin.OCIImage == "" {
-		if len(plugin.Sha256) == 0 {
+		command = filepath.Join(c.directory, plugin.Command)
+		sym, err := filepath.EvalSymlinks(command)
+		if err != nil && len(plugin.Sha256) != 0 {
+			return nil, fmt.Errorf("error while validating the command path: %w", err)
+		} else if len(plugin.Sha256) == 0 {
 			// Enterprise only: unpack the plugin artifact
 			var unpackErr error
 			enterprise, plugin.Command, plugin.Sha256, unpackErr = c.entUnpackArtifact(plugin)
@@ -984,11 +988,6 @@ func (c *PluginCatalog) setInternal(ctx context.Context, plugin pluginutil.SetPl
 		} else {
 			// Best effort check to make sure the command isn't breaking out of the
 			// configured plugin directory.
-			command = filepath.Join(c.directory, plugin.Command)
-			sym, err := filepath.EvalSymlinks(command)
-			if err != nil {
-				return nil, fmt.Errorf("error while validating the command path: %w", err)
-			}
 			symAbs, err := filepath.Abs(filepath.Dir(sym))
 			if err != nil {
 				return nil, fmt.Errorf("error while validating the command path: %w", err)