diff --git a/www/errorreport.php b/www/errorreport.php
index 1c80713058474b613f35fa9a80b877493c7570b8..025a81edecebf5602e65820f3c75ba0425683e77 100644
--- a/www/errorreport.php
+++ b/www/errorreport.php
@@ -17,6 +17,10 @@ $reportId = $_REQUEST['reportId'];
 $email = $_REQUEST['email'];
 $text = $_REQUEST['text'];
 
+if (!preg_match('/^[0-9a-f]{8}$/', $reportId)) {
+    throw new \SimpleSAML\Error\Exception('Invalid reportID');
+}
+
 $data = null;
 try {
     $session = \SimpleSAML\Session::getSessionFromRequest();