diff --git a/services/web/app/src/Features/Subscription/SubscriptionController.js b/services/web/app/src/Features/Subscription/SubscriptionController.js
index dfeea7969e..74594076c8 100644
--- a/services/web/app/src/Features/Subscription/SubscriptionController.js
+++ b/services/web/app/src/Features/Subscription/SubscriptionController.js
@@ -650,9 +650,16 @@ async function purchaseAddon(req, res, next) {
   return res.sendStatus(200)
 }
 
+const removeAddonSchema = z.object({
+  params: z.object({
+    addOnCode: z.string(),
+  }),
+})
+
 async function removeAddon(req, res, next) {
   const user = SessionManager.getSessionUser(req.session)
-  const addOnCode = req.params.addOnCode
+  const { params } = validateReq(req, removeAddonSchema)
+  const addOnCode = params.addOnCode
 
   if (addOnCode !== AI_ADD_ON_CODE) {
     return res.sendStatus(404)
diff --git a/services/web/app/src/Features/Subscription/SubscriptionRouter.mjs b/services/web/app/src/Features/Subscription/SubscriptionRouter.mjs
index a5fb7d695d..29ca931c06 100644
--- a/services/web/app/src/Features/Subscription/SubscriptionRouter.mjs
+++ b/services/web/app/src/Features/Subscription/SubscriptionRouter.mjs
@@ -183,11 +183,6 @@ export default {
     webRouter.post(
       '/user/subscription/addon/:addOnCode/remove',
       AuthenticationController.requireLogin(),
-      validate({
-        params: Joi.object({
-          addOnCode: Joi.string(),
-        }),
-      }),
       RateLimiterMiddleware.rateLimit(subscriptionRateLimiter),
       SubscriptionController.removeAddon
     )