diff --git a/backend/src/api/routes/users.ts b/backend/src/api/routes/users.ts
index e237e8470..3d792f4b3 100644
--- a/backend/src/api/routes/users.ts
+++ b/backend/src/api/routes/users.ts
@@ -258,7 +258,10 @@ router.patch(
   RateLimit.userTagsEdit,
   validateRequest({
     body: {
-      tagId: joi.string().required(),
+      tagId: joi
+        .string()
+        .regex(/^[a-f\d]{24}$/i)
+        .required(),
       newName: tagNameValidation,
     },
   }),
@@ -271,7 +274,10 @@ router.delete(
   RateLimit.userTagsRemove,
   validateRequest({
     params: {
-      tagId: joi.string().required(),
+      tagId: joi
+        .string()
+        .regex(/^[a-f\d]{24}$/i)
+        .required(),
     },
   }),
   asyncHandler(UserController.removeTag)
@@ -283,7 +289,10 @@ router.delete(
   RateLimit.userTagsClearPB,
   validateRequest({
     params: {
-      tagId: joi.string().required(),
+      tagId: joi
+        .string()
+        .regex(/^[a-f\d]{24}$/i)
+        .required(),
     },
   }),
   asyncHandler(UserController.clearTagPb)