diff --git a/.changeset/bright-bulldogs-heal.md b/.changeset/bright-bulldogs-heal.md
new file mode 100644
index 000000000000..2757980a0512
--- /dev/null
+++ b/.changeset/bright-bulldogs-heal.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Ensures server island requests carry an encrypted component export identifier so they do not accidentally resolve to the wrong component.
diff --git a/packages/astro/src/core/server-islands/endpoint.ts b/packages/astro/src/core/server-islands/endpoint.ts
index 0a1a76a0f3ec..bfc1945fe2b5 100644
--- a/packages/astro/src/core/server-islands/endpoint.ts
+++ b/packages/astro/src/core/server-islands/endpoint.ts
@@ -43,7 +43,7 @@ export function injectServerIslandRoute(config: ConfigFields, routeManifest: Rou
 }
 
 type RenderOptions = {
-	componentExport: string;
+	encryptedComponentExport: string;
 	encryptedProps: string;
 	encryptedSlots: string;
 };
@@ -67,7 +67,7 @@ async function getRequestData(request: Request): Promise<Response | RenderOption
 
 			const encryptedSlots = params.get('s')!;
 			return {
-				componentExport: params.get('e')!,
+				encryptedComponentExport: params.get('e')!,
 				encryptedProps: params.get('p')!,
 				encryptedSlots,
 			};
@@ -75,14 +75,21 @@ async function getRequestData(request: Request): Promise<Response | RenderOption
 		case 'POST': {
 			try {
 				const raw = await request.text();
-				const data = JSON.parse(raw) as RenderOptions;
+				const data = JSON.parse(raw);
 
 				// Validate that slots is not plaintext
-				if ('slots' in data && typeof (data as any).slots === 'object') {
+				if ('slots' in data && typeof data.slots === 'object') {
 					return badRequest('Plaintext slots are not allowed. Slots must be encrypted.');
 				}
 
-				return data;
+				// Validate that componentExport is not plaintext
+				if ('componentExport' in data && typeof data.componentExport === 'string') {
+					return badRequest(
+						'Plaintext componentExport is not allowed. componentExport must be encrypted.',
+					);
+				}
+
+				return data as RenderOptions;
 			} catch (e) {
 				if (e instanceof SyntaxError) {
 					return badRequest('Request format is invalid.');
@@ -124,6 +131,15 @@ export function createEndpoint(manifest: SSRManifest) {
 		}
 
 		const key = await manifest.key;
+
+		// Decrypt componentExport
+		let componentExport: string;
+		try {
+			componentExport = await decryptString(key, data.encryptedComponentExport);
+		} catch (_e) {
+			return badRequest('Encrypted componentExport value is invalid.');
+		}
+
 		const encryptedProps = data.encryptedProps;
 
 		let props = {};
@@ -152,7 +168,7 @@ export function createEndpoint(manifest: SSRManifest) {
 		}
 
 		const componentModule = await imp();
-		let Component = (componentModule as any)[data.componentExport];
+		let Component = (componentModule as any)[componentExport];
 
 		const slots: ComponentSlots = {};
 		for (const prop in decryptedSlots) {
diff --git a/packages/astro/src/runtime/server/render/server-islands.ts b/packages/astro/src/runtime/server/render/server-islands.ts
index 897b878999c6..a7f211eb5705 100644
--- a/packages/astro/src/runtime/server/render/server-islands.ts
+++ b/packages/astro/src/runtime/server/render/server-islands.ts
@@ -33,9 +33,13 @@ function safeJsonStringify(obj: any) {
 		.replace(COMMENT_RE, COMMENT_REPLACER);
 }
 
-function createSearchParams(componentExport: string, encryptedProps: string, slots: string) {
+function createSearchParams(
+	encryptedComponentExport: string,
+	encryptedProps: string,
+	slots: string,
+) {
 	const params = new URLSearchParams();
-	params.set('e', componentExport);
+	params.set('e', encryptedComponentExport);
 	params.set('p', encryptedProps);
 	params.set('s', slots);
 	return params;
@@ -160,6 +164,10 @@ export class ServerIslandComponent {
 		}
 
 		const key = await this.result.key;
+
+		// Encrypt componentExport
+		const componentExportEncrypted = await encryptString(key, componentExport);
+
 		const propsEncrypted =
 			Object.keys(this.props).length === 0
 				? ''
@@ -177,7 +185,7 @@ export class ServerIslandComponent {
 
 		// Determine if its safe to use a GET request
 		const potentialSearchParams = createSearchParams(
-			componentExport,
+			componentExportEncrypted,
 			propsEncrypted,
 			slotsEncrypted,
 		);
@@ -202,7 +210,7 @@ export class ServerIslandComponent {
 let response = await fetch('${serverIslandUrl}', { headers });`
 			: // POST request
 				`let data = {
-	componentExport: ${safeJsonStringify(componentExport)},
+	encryptedComponentExport: ${safeJsonStringify(componentExportEncrypted)},
 	encryptedProps: ${safeJsonStringify(propsEncrypted)},
 	encryptedSlots: ${safeJsonStringify(slotsEncrypted)},
 };
diff --git a/packages/astro/test/csp-server-islands.test.js b/packages/astro/test/csp-server-islands.test.js
index 39ff5d58c6d4..95ef60a210cc 100644
--- a/packages/astro/test/csp-server-islands.test.js
+++ b/packages/astro/test/csp-server-islands.test.js
@@ -1,9 +1,31 @@
 import assert from 'node:assert/strict';
 import { after, before, describe, it } from 'node:test';
 import * as cheerio from 'cheerio';
+import { encryptString } from '../dist/core/encryption.js';
 import testAdapter from './test-adapter.js';
 import { loadFixture } from './test-utils.js';
 
+// Helper to create encryption key from test key string
+async function createKeyFromString(keyString) {
+	const binaryString = atob(keyString);
+	const bytes = new Uint8Array(binaryString.length);
+	for (let i = 0; i < binaryString.length; i++) {
+		bytes[i] = binaryString.charCodeAt(i);
+	}
+	return await crypto.subtle.importKey('raw', bytes, { name: 'AES-GCM' }, false, [
+		'encrypt',
+		'decrypt',
+	]);
+}
+
+// Helper to get encrypted componentExport for 'default'
+async function getEncryptedComponentExport(
+	keyString = 'eKBaVEuI7YjfanEXHuJe/pwZKKt3LkAHeMxvTU7aR0M=',
+) {
+	const key = await createKeyFromString(keyString);
+	return encryptString(key, 'default');
+}
+
 describe('Server islands', () => {
 	describe('SSR', () => {
 		/** @type {import('./test-utils').Fixture} */
@@ -44,10 +66,11 @@ describe('Server islands', () => {
 
 			it('island is not indexed', async () => {
 				const app = await fixture.loadTestAdapterApp();
+				const encryptedComponentExport = await getEncryptedComponentExport();
 				const request = new Request('http://example.com/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						encryptedSlots: '',
 					}),
diff --git a/packages/astro/test/server-islands.test.js b/packages/astro/test/server-islands.test.js
index 4a380da466b8..72a946958cc4 100644
--- a/packages/astro/test/server-islands.test.js
+++ b/packages/astro/test/server-islands.test.js
@@ -20,6 +20,14 @@ async function createKeyFromString(keyString) {
 	]);
 }
 
+// Helper to get encrypted componentExport for 'default'
+async function getEncryptedComponentExport(
+	keyString = 'eKBaVEuI7YjfanEXHuJe/pwZKKt3LkAHeMxvTU7aR0M=',
+) {
+	const key = await createKeyFromString(keyString);
+	return encryptString(key, 'default');
+}
+
 describe('Server islands', () => {
 	describe('SSR', () => {
 		/** @type {import('./test-utils').Fixture} */
@@ -61,10 +69,11 @@ describe('Server islands', () => {
 			});
 
 			it('island is not indexed', async () => {
+				const encryptedComponentExport = await getEncryptedComponentExport();
 				const res = await fixture.fetch('/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						encryptedSlots: '',
 					}),
@@ -73,10 +82,11 @@ describe('Server islands', () => {
 			});
 
 			it('island can set headers', async () => {
+				const encryptedComponentExport = await getEncryptedComponentExport();
 				const res = await fixture.fetch('/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						encryptedSlots: '',
 					}),
@@ -116,10 +126,11 @@ describe('Server islands', () => {
 			});
 
 			it('rejects invalid props', async () => {
+				const encryptedComponentExport = await getEncryptedComponentExport();
 				const res = await fixture.fetch('/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						// not the expected value:
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLE',
 						encryptedSlots: '',
@@ -128,11 +139,24 @@ describe('Server islands', () => {
 				assert.equal(res.status, 400);
 			});
 
-			it('rejects plaintext slots', async () => {
+			it('rejects plaintext componentExport', async () => {
 				const res = await fixture.fetch('/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
 						componentExport: 'default',
+						encryptedProps: '',
+						encryptedSlots: '',
+					}),
+				});
+				assert.equal(res.status, 400, 'should reject plaintext componentExport');
+			});
+
+			it('rejects plaintext slots', async () => {
+				const encryptedComponentExport = await getEncryptedComponentExport();
+				const res = await fixture.fetch('/_server-islands/Island', {
+					method: 'POST',
+					body: JSON.stringify({
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						slots: { xss: '<img src=x onerror=alert(0)>' },
 					}),
@@ -140,22 +164,16 @@ describe('Server islands', () => {
 				assert.equal(res.status, 400, 'should reject unencrypted slots');
 			});
 
-			it('rejects plaintext slots with XSS payload via GET', async () => {
-				const res = await fixture.fetch(
-					'/_server-islands/Island?e=file&s=%7B%22xss%22%3A%22%3Cimg%20src%3Dx%20onerror%3Dalert(0)%3E%22%7D',
-				);
-				assert.equal(res.status, 400, 'should reject plaintext slots with XSS');
-			});
-
 			it('accepts encrypted slots via POST', async () => {
 				const key = await createKeyFromString('eKBaVEuI7YjfanEXHuJe/pwZKKt3LkAHeMxvTU7aR0M=');
+				const encryptedComponentExport = await encryptString(key, 'default');
 				const slotsToEncrypt = { content: '<p>Safe slot content</p>' };
 				const encryptedSlots = await encryptString(key, JSON.stringify(slotsToEncrypt));
 
 				const res = await fixture.fetch('/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						encryptedSlots: encryptedSlots,
 					}),
@@ -164,10 +182,11 @@ describe('Server islands', () => {
 			});
 
 			it('rejects invalid encrypted slots via POST', async () => {
+				const encryptedComponentExport = await getEncryptedComponentExport();
 				const res = await fixture.fetch('/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						// hard-coded invalid encrypted slot value:
 						encryptedSlots: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLE',
@@ -178,13 +197,14 @@ describe('Server islands', () => {
 
 			it('accepts encrypted slots with XSS payload via POST', async () => {
 				const key = await createKeyFromString('eKBaVEuI7YjfanEXHuJe/pwZKKt3LkAHeMxvTU7aR0M=');
+				const encryptedComponentExport = await encryptString(key, 'default');
 				const slotsToEncrypt = { xss: '<img src=x onerror=alert(0)>' };
 				const encryptedSlots = await encryptString(key, JSON.stringify(slotsToEncrypt));
 
 				const res = await fixture.fetch('/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						encryptedSlots: encryptedSlots,
 					}),
@@ -250,10 +270,11 @@ describe('Server islands', () => {
 
 			it('island is not indexed', async () => {
 				const app = await fixture.loadTestAdapterApp();
+				const encryptedComponentExport = await getEncryptedComponentExport();
 				const request = new Request('http://example.com/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						encryptedSlots: '',
 					}),
@@ -302,10 +323,11 @@ describe('Server islands', () => {
 
 			it('rejects invalid props', async () => {
 				const app = await fixture.loadTestAdapterApp();
+				const encryptedComponentExport = await getEncryptedComponentExport();
 				const request = new Request('http://example.com/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						// not the expected value:
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLE',
 						encryptedSlots: '',
@@ -318,13 +340,31 @@ describe('Server islands', () => {
 				assert.equal(response.status, 400);
 			});
 
-			it('rejects plaintext slots', async () => {
+			it('rejects plaintext componentExport', async () => {
 				const app = await fixture.loadTestAdapterApp();
 				const request = new Request('http://example.com/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
 						componentExport: 'default',
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
+						encryptedSlots: '',
+					}),
+					headers: {
+						origin: 'http://example.com',
+					},
+				});
+				const response = await app.render(request);
+				assert.equal(response.status, 400, 'should reject plaintext componentExport');
+			});
+
+			it('rejects plaintext slots', async () => {
+				const app = await fixture.loadTestAdapterApp();
+				const encryptedComponentExport = await getEncryptedComponentExport();
+				const request = new Request('http://example.com/_server-islands/Island', {
+					method: 'POST',
+					body: JSON.stringify({
+						encryptedComponentExport,
+						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						slots: { xss: '<img src=x onerror=alert(0)>' },
 					}),
 					headers: {
@@ -352,13 +392,14 @@ describe('Server islands', () => {
 			it('accepts encrypted slots via POST', async () => {
 				const app = await fixture.loadTestAdapterApp();
 				const key = await createKeyFromString('eKBaVEuI7YjfanEXHuJe/pwZKKt3LkAHeMxvTU7aR0M=');
+				const encryptedComponentExport = await encryptString(key, 'default');
 				const slotsToEncrypt = { content: '<p>Safe slot content</p>' };
 				const encryptedSlots = await encryptString(key, JSON.stringify(slotsToEncrypt));
 
 				const request = new Request('http://example.com/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						encryptedSlots: encryptedSlots,
 					}),
@@ -372,11 +413,12 @@ describe('Server islands', () => {
 
 			it('rejects invalid encrypted slots via POST', async () => {
 				const app = await fixture.loadTestAdapterApp();
+				const encryptedComponentExport = await getEncryptedComponentExport();
 
 				const request = new Request('http://example.com/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						// hard-coded invalid encrypted slot value:
 						encryptedSlots: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLE',
@@ -392,13 +434,14 @@ describe('Server islands', () => {
 			it('accepts encrypted slots with XSS payload via POST', async () => {
 				const app = await fixture.loadTestAdapterApp();
 				const key = await createKeyFromString('eKBaVEuI7YjfanEXHuJe/pwZKKt3LkAHeMxvTU7aR0M=');
+				const encryptedComponentExport = await encryptString(key, 'default');
 				const slotsToEncrypt = { xss: '<img src=x onerror=alert(0)>' };
 				const encryptedSlots = await encryptString(key, JSON.stringify(slotsToEncrypt));
 
 				const request = new Request('http://example.com/_server-islands/Island', {
 					method: 'POST',
 					body: JSON.stringify({
-						componentExport: 'default',
+						encryptedComponentExport,
 						encryptedProps: 'FC8337AF072BE5B1641501E1r8mLIhmIME1AV7UO9XmW9OLD',
 						encryptedSlots: encryptedSlots,
 					}),