diff --git a/app/controllers/users/email_confirmations_controller.rb b/app/controllers/users/email_confirmations_controller.rb
index 6f1ac0b81f2..862072cfae6 100644
--- a/app/controllers/users/email_confirmations_controller.rb
+++ b/app/controllers/users/email_confirmations_controller.rb
@@ -15,7 +15,9 @@ def create
     def email_address
       return @email_address if defined?(@email_address)
 
-      email_address = EmailAddress.find_with_confirmation_token(params[:confirmation_token])
+      email_address = EmailAddress.find_with_confirmation_token(
+        confirmation_params[:confirmation_token],
+      )
       if email_address&.user&.confirmed?
         @email_address = email_address
       else
@@ -90,5 +92,9 @@ def email_address_already_confirmed_by_current_user?
       user_signed_in? &&
         email_confirmation_token_validator.email_address_already_confirmed_by_user?(current_user)
     end
+
+    def confirmation_params
+      params.permit(:confirmation_token)
+    end
   end
 end
diff --git a/spec/controllers/users/email_confirmations_controller_spec.rb b/spec/controllers/users/email_confirmations_controller_spec.rb
index 70f4e07bf8c..3da7fa06e62 100644
--- a/spec/controllers/users/email_confirmations_controller_spec.rb
+++ b/spec/controllers/users/email_confirmations_controller_spec.rb
@@ -60,5 +60,12 @@
         expect(flash[:error]).to eq t('errors.messages.confirmation_invalid_token')
       end
     end
+
+    describe 'Invalid email confirmation tokens' do
+      it 'rejects invalid parameters' do
+        get :create, params: { confirmation_token: { confirmation_token: 'abc' } }
+        expect(flash[:error]).to eq t('errors.messages.confirmation_invalid_token')
+      end
+    end
   end
 end