From 62b65e69aba0fe523347b80c6d2b064b04d07f85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 6 Apr 2026 17:19:55 -0400
Subject: [PATCH] fix: closes #14151, handle null req.body

---
 src/controllers/authentication.js |  1 +
 test/authentication.js            | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index fab6b8d8cc..c388023840 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -221,6 +221,7 @@ authenticationController.login = async (req, res, next) => {
 	}
 
 	const loginWith = meta.config.allowLoginWith || 'username-email';
+	req.body = req.body || {};
 	req.body.username = String(req.body.username).trim();
 	const errorHandler = res.locals.noScriptErrors || helpers.noScriptErrors;
 	try {
diff --git a/test/authentication.js b/test/authentication.js
index b1fbf66b32..4fb9fcb5ad 100644
--- a/test/authentication.js
+++ b/test/authentication.js
@@ -284,6 +284,21 @@ describe('authentication', () => {
 		assert.equal(response.status, 500);
 	});
 
+	it('should fail to login if body is missing', async () => {
+		const jar = request.jar();
+		const csrf_token = await helpers.getCsrfToken(jar);
+
+		const { response, body } = await request.post(`${nconf.get('url')}/login`, {
+			body: null,
+			jar: jar,
+			headers: {
+				'x-csrf-token': csrf_token,
+			},
+		});
+		assert.equal(response.status, 403);
+		assert.strictEqual(body, '[[error:invalid-username-or-password]]');
+	});
+
 	it('should fail to login if user does not exist', async () => {
 		const { response, body } = await helpers.loginUser('doesnotexist', 'nopassword');
 		assert.equal(response.statusCode, 403);