diff --git a/server/src/services/database-backup.service.ts b/server/src/services/database-backup.service.ts
index 6333dbba12..02c1bda93f 100644
--- a/server/src/services/database-backup.service.ts
+++ b/server/src/services/database-backup.service.ts
@@ -16,6 +16,10 @@ export class DatabaseBackupService extends BaseService {
   }
 
   async deleteBackup(files: string[]): Promise<void> {
+    if (files.some((filename) => !isValidBackupName(filename))) {
+      throw new BadRequestException('Invalid backup name!');
+    }
+
     await Promise.all(files.map((filename) => deleteBackup(this.backupRepos, basename(filename))));
   }