diff --git a/lib/Controller/ExAppProxyController.php b/lib/Controller/ExAppProxyController.php
index 71fe0b29..c65b8098 100644
--- a/lib/Controller/ExAppProxyController.php
+++ b/lib/Controller/ExAppProxyController.php
@@ -231,6 +231,12 @@ private function prepareProxy(
 		string $appId, string $other, array &$route, array &$bruteforceProtection, int &$delay
 	): ?ExApp {
 		$delay = 0;
+		if (preg_match('#(?:^|/|%2[fF])(?:\.|%2[eE]){2}(?:/|%2[fF]|$)#', $other) === 1) {
+			$this->logger->debug(
+				sprintf('Returning status 404 for "%s": path contains a parent-directory segment.', $other)
+			);
+			return null;
+		}
 		$exApp = $this->exAppService->getExApp($appId);
 		if ($exApp === null) {
 			$this->logger->debug(