diff --git a/services/web/app/src/Features/UserMembership/UserMembershipMiddleware.js b/services/web/app/src/Features/UserMembership/UserMembershipMiddleware.js
index 02505b4304..ef8f636409 100644
--- a/services/web/app/src/Features/UserMembership/UserMembershipMiddleware.js
+++ b/services/web/app/src/Features/UserMembership/UserMembershipMiddleware.js
@@ -1,3 +1,5 @@
+// @ts-check
+
 const { expressify } = require('@overleaf/promise-utils')
 const async = require('async')
 const UserMembershipAuthorization = require('./UserMembershipAuthorization')
@@ -7,6 +9,7 @@ const EntityConfigs = require('./UserMembershipEntityConfigs')
 const Errors = require('../Errors/Errors')
 const HttpErrorHandler = require('../Errors/HttpErrorHandler')
 const TemplatesManager = require('../Templates/TemplatesManager')
+const { z, zz, validateReq } = require('../../infrastructure/Validation')
 const { useAdminCapabilities } = require('../Helpers/AdminAuthorizationHelper')
 
 // set of middleware arrays or functions that checks user access to an entity
@@ -244,11 +247,18 @@ function fetchEntityConfig(entityName) {
 }
 
 // fetch the entity with id and config, and set it in the request
+const fetchEntitySchema = z.object({
+  params: z.object({
+    id: zz.objectId(),
+  }),
+})
+
 function fetchEntity() {
   return expressify(async (req, res, next) => {
+    const { params } = validateReq(req, fetchEntitySchema)
     req.entity =
       await UserMembershipHandler.promises.getEntityWithoutAuthorizationCheck(
-        req.params.id,
+        params.id,
         req.entityConfig
       )
     next()