diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index fab6b8d8cc..c388023840 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -221,6 +221,7 @@ authenticationController.login = async (req, res, next) => {
 	}
 
 	const loginWith = meta.config.allowLoginWith || 'username-email';
+	req.body = req.body || {};
 	req.body.username = String(req.body.username).trim();
 	const errorHandler = res.locals.noScriptErrors || helpers.noScriptErrors;
 	try {
diff --git a/test/authentication.js b/test/authentication.js
index b1fbf66b32..4fb9fcb5ad 100644
--- a/test/authentication.js
+++ b/test/authentication.js
@@ -284,6 +284,21 @@ describe('authentication', () => {
 		assert.equal(response.status, 500);
 	});
 
+	it('should fail to login if body is missing', async () => {
+		const jar = request.jar();
+		const csrf_token = await helpers.getCsrfToken(jar);
+
+		const { response, body } = await request.post(`${nconf.get('url')}/login`, {
+			body: null,
+			jar: jar,
+			headers: {
+				'x-csrf-token': csrf_token,
+			},
+		});
+		assert.equal(response.status, 403);
+		assert.strictEqual(body, '[[error:invalid-username-or-password]]');
+	});
+
 	it('should fail to login if user does not exist', async () => {
 		const { response, body } = await helpers.loginUser('doesnotexist', 'nopassword');
 		assert.equal(response.statusCode, 403);