diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index fef6f088b6..d5a0965d7b 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -420,6 +420,10 @@ authenticationController.localLogin = async function (req, username, password, n
 	}
 
 	const userslug = slugify(username);
+	if (!utils.isUserNameValid(username) || !userslug) {
+		return next(new Error('[[error:invalid-username]]'));
+	}
+
 	const uid = await user.getUidByUserslug(userslug);
 	try {
 		const [userData, isAdminOrGlobalMod, canLoginIfBanned] = await Promise.all([