diff --git a/services/web/app/src/Features/User/UserPagesController.js b/services/web/app/src/Features/User/UserPagesController.js
index 23ef4cec65..5fb2564d56 100644
--- a/services/web/app/src/Features/User/UserPagesController.js
+++ b/services/web/app/src/Features/User/UserPagesController.js
@@ -34,6 +34,10 @@ const UserPagesController = {
       return ErrorController.notFound(req, res)
     }
 
+    if (typeof req.query.user_id !== 'string') {
+      return ErrorController.forbidden(req, res)
+    }
+
     UserGetter.getUser(
       req.query.user_id,
       { email: 1, loginCount: 1 },
diff --git a/services/web/test/unit/src/User/UserPagesControllerTests.js b/services/web/test/unit/src/User/UserPagesControllerTests.js
index e3f0e9043a..d44477584e 100644
--- a/services/web/test/unit/src/User/UserPagesControllerTests.js
+++ b/services/web/test/unit/src/User/UserPagesControllerTests.js
@@ -318,6 +318,12 @@ describe('UserPagesController', function() {
       return this.UserPagesController.activateAccountPage(this.req, this.res)
     })
 
+    it('should 403 for complex user_id', function(done) {
+      this.ErrorController.forbidden = () => done()
+      this.req.query.user_id = { first_name: 'X' }
+      return this.UserPagesController.activateAccountPage(this.req, this.res)
+    })
+
     it('should redirect activated users to login', function(done) {
       this.user.loginCount = 1
       this.res.redirect = url => {