diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 4558934dacf..b410ba68ee0 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -456,15 +456,20 @@ void fs_check_private_dir(void) {
 void fs_check_private_cwd(const char *dir) {
 	EUID_ASSERT();
 	invalid_filename(dir, 0); // no globbing
+	if (strcmp(dir, ".") == 0 || *dir != '/')
+		goto errout;
 
 	// Expand the working directory
 	cfg.cwd = expand_macros(dir);
 
 	// realpath/is_dir not used because path may not exist outside of jail
-	if (strstr(cfg.cwd, "..")) {
-		fprintf(stderr, "Error: invalid private working directory\n");
-		exit(1);
-	}
+	if (strstr(cfg.cwd, ".."))
+		goto errout;
+
+	return;
+errout:
+	fprintf(stderr, "Error: invalid private working directory\n");
+	exit(1);
 }
 
 //***********************************************************************************
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 96fa4c81af5..53b1e69147d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1058,6 +1058,11 @@ int sandbox(void* sandbox_arg) {
 	EUID_USER();
 	int cwd = 0;
 	if (cfg.cwd) {
+		if (is_link(cfg.cwd)) {
+			fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd);
+			exit(1);
+		}
+
 		if (chdir(cfg.cwd) == 0)
 			cwd = 1;
 		else if (arg_private_cwd) {