diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
index 4f2926d655..5bb172d46c 100644
--- a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
@@ -155,23 +155,32 @@ async function requestReset(req, res, next) {
   }
 }
 
+const renderSetPasswordFormSchema = z.object({
+  query: z.object({
+    email: z.string(),
+    passwordResetToken: z.string().optional(),
+  }),
+})
+
 async function renderSetPasswordForm(req, res, next) {
-  if (req.query.passwordResetToken != null) {
+  const { query } = validateReq(req, renderSetPasswordFormSchema)
+
+  if (query.passwordResetToken != null) {
     try {
       const result =
         await PasswordResetHandler.promises.getUserForPasswordResetToken(
-          req.query.passwordResetToken
+          query.passwordResetToken
         )
 
       const { user, remainingPeeks } = result || {}
       if (!user || remainingPeeks <= 0) {
         return res.redirect('/user/password/reset?error=token_expired')
       }
-      req.session.resetToken = req.query.passwordResetToken
+      req.session.resetToken = query.passwordResetToken
       let emailQuery = ''
 
-      if (typeof req.query.email === 'string') {
-        const email = EmailsHelper.parseEmail(req.query.email)
+      if (typeof query.email === 'string') {
+        const email = EmailsHelper.parseEmail(query.email)
         if (email) {
           emailQuery = `?email=${encodeURIComponent(email)}`
         }
@@ -190,7 +199,7 @@ async function renderSetPasswordForm(req, res, next) {
     return res.redirect('/user/password/reset')
   }
 
-  const email = EmailsHelper.parseEmail(req.query.email)
+  const email = EmailsHelper.parseEmail(query.email)
 
   // clean up to avoid leaking the token in the session object
   const passwordResetToken = req.session.resetToken
diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs b/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
index 0cc97768c6..c73631b591 100644
--- a/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
@@ -30,12 +30,6 @@ export default {
 
     webRouter.get(
       '/user/password/set',
-      validate({
-        query: {
-          email: Joi.string().required(),
-          passwordResetToken: Joi.string(),
-        },
-      }),
       rateLimit,
       PasswordResetController.renderSetPasswordForm
     )