diff --git a/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs b/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs
index a057e1d8fe..63a88c10e2 100644
--- a/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs
+++ b/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs
@@ -103,6 +103,18 @@ export default {
       }),
       CaptchaMiddleware.validateCaptcha('invite'),
       AuthenticationController.requireLogin(),
+      validate({
+        body: Joi.object({
+          email: Joi.string().required(),
+          privileges: Joi.string()
+            .valid(
+              PrivilegeLevels.READ_ONLY,
+              PrivilegeLevels.READ_AND_WRITE,
+              PrivilegeLevels.REVIEW
+            )
+            .required(),
+        }),
+      }),
       AuthorizationMiddleware.ensureUserCanAdminProject,
       CollaboratorsInviteController.inviteToProject
     )
diff --git a/services/web/test/acceptance/src/ProjectInviteTests.mjs b/services/web/test/acceptance/src/ProjectInviteTests.mjs
index 319d8f9ed1..df13d71d37 100644
--- a/services/web/test/acceptance/src/ProjectInviteTests.mjs
+++ b/services/web/test/acceptance/src/ProjectInviteTests.mjs
@@ -361,6 +361,60 @@ describe('ProjectInviteTests', function () {
         )
       })
 
+      it('should fail if email is not a string', function (done) {
+        this.sendingUser.getCsrfToken(err => {
+          if (err) {
+            return done(err)
+          }
+          this.sendingUser.request.post(
+            {
+              uri: `/project/${this.projectId}/invite`,
+              json: {
+                email: {},
+                privileges: 'readAndWrite',
+              },
+            },
+            (err, response, body) => {
+              if (err) {
+                return done(err)
+              }
+              expect(response.statusCode).to.equal(400)
+              expect(response.body.validation.body.message).to.equal(
+                '"email" must be a string'
+              )
+              done()
+            }
+          )
+        })
+      })
+
+      it('should fail on invalid privileges', function (done) {
+        this.sendingUser.getCsrfToken(err => {
+          if (err) {
+            return done(err)
+          }
+          this.sendingUser.request.post(
+            {
+              uri: `/project/${this.projectId}/invite`,
+              json: {
+                email: this.email,
+                privileges: 'invalid-privilege',
+              },
+            },
+            (err, response, body) => {
+              if (err) {
+                return done(err)
+              }
+              expect(response.statusCode).to.equal(400)
+              expect(response.body.validation.body.message).to.equal(
+                '"privileges" must be one of [readOnly, readAndWrite, review]'
+              )
+              done()
+            }
+          )
+        })
+      })
+
       it('should allow the project owner to create and remove invites', function (done) {
         Async.series(
           [