diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
index d1c8a4ee47..4f2926d655 100644
--- a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
@@ -103,8 +103,15 @@ async function setNewUserPassword(req, res, next) {
   AuthenticationController.finishLogin(user, req, res, next)
 }
 
+const requestResetSchema = z.object({
+  body: z.object({
+    email: z.string(),
+  }),
+})
+
 async function requestReset(req, res, next) {
-  const email = EmailsHelper.parseEmail(req.body.email)
+  const { body } = validateReq(req, requestResetSchema)
+  const email = EmailsHelper.parseEmail(body.email)
   if (!email) {
     return res.status(400).json({
       message: req.i18n.translate('must_be_email_address'),
diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs b/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
index fa3f11347c..0cc97768c6 100644
--- a/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
@@ -22,11 +22,6 @@ export default {
     )
     webRouter.post(
       '/user/password/reset',
-      validate({
-        body: Joi.object({
-          email: Joi.string().required(),
-        }),
-      }),
       rateLimit,
       CaptchaMiddleware.validateCaptcha('passwordReset'),
       PasswordResetController.requestReset
@@ -59,11 +54,6 @@ export default {
 
     webRouter.post(
       '/user/reconfirm',
-      validate({
-        body: Joi.object({
-          email: Joi.string().required(),
-        }),
-      }),
       rateLimit,
       CaptchaMiddleware.validateCaptcha('passwordReset'),
       PasswordResetController.requestReset