diff --git a/changelog/27459.txt b/changelog/27459.txt
new file mode 100644
index 0000000000..d46570f5a4
--- /dev/null
+++ b/changelog/27459.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+config: Vault TCP listener config now correctly supports the documented proxy_protocol_behavior 
+setting of 'deny_unauthorized'
+```
diff --git a/internalshared/configutil/listener.go b/internalshared/configutil/listener.go
index 0504702028..1e959b5c86 100644
--- a/internalshared/configutil/listener.go
+++ b/internalshared/configutil/listener.go
@@ -562,9 +562,9 @@ func (l *Listener) parseProxySettings() error {
 
 	// Validation/sanity check on allowed settings for behavior.
 	switch l.ProxyProtocolBehavior {
-	case "allow_authorized", "deny_authorized", "use_always", "":
+	case "allow_authorized", "deny_unauthorized", "use_always", "":
 		// Ignore these cases, they're all valid values.
-		// In the case of 'allow_authorized' and 'deny_authorized', we don't need
+		// In the case of 'allow_authorized' and 'deny_unauthorized', we don't need
 		// to check how many addresses we have in ProxyProtocolAuthorizedAddrs
 		// as parseutil.ParseAddrs returns "one or more addresses" (or an error)
 		// so we'd have returned earlier.
diff --git a/internalshared/configutil/listener_test.go b/internalshared/configutil/listener_test.go
index bfd922faa8..51d0c094ed 100644
--- a/internalshared/configutil/listener_test.go
+++ b/internalshared/configutil/listener_test.go
@@ -529,7 +529,7 @@ func TestListener_parseProxySettings(t *testing.T) {
 		"behavior-deny": {
 			rawProxyProtocolAuthorizedAddrs: "10.0.0.1,10.0.2.1",
 			expectedNumAddrs:                2,
-			proxyBehavior:                   "deny_authorized",
+			proxyBehavior:                   "deny_unauthorized",
 			isErrorExpected:                 false,
 		},
 	}