diff --git a/app/forms/openid_connect_token_form.rb b/app/forms/openid_connect_token_form.rb
index 51cc41f2c5c..48b0dcd102b 100644
--- a/app/forms/openid_connect_token_form.rb
+++ b/app/forms/openid_connect_token_form.rb
@@ -64,7 +64,7 @@ def url_options
   attr_reader :identity
 
   def find_identity_with_code
-    return if code.blank?
+    return if code.blank? || code.include?("\x00")
 
     session_expiration = AppConfig.env.session_timeout_in_minutes.to_i.minutes.ago
     @identity = Identity.where(session_uuid: code).
diff --git a/spec/forms/openid_connect_token_form_spec.rb b/spec/forms/openid_connect_token_form_spec.rb
index db50d924097..5515cd271ef 100644
--- a/spec/forms/openid_connect_token_form_spec.rb
+++ b/spec/forms/openid_connect_token_form_spec.rb
@@ -80,6 +80,15 @@
         end
       end
 
+      context 'the code has a null byte' do
+        let(:code) { "\x00code"}
+
+        it 'is invalid' do
+          expect(valid?).to eq(false)
+          expect(form.errors[:code]).to include(t('openid_connect.token.errors.invalid_code'))
+        end
+      end
+
       context 'code has expired' do
         before { identity.update(updated_at: 1.day.ago) }