diff --git a/app/Http/Controllers/Auth/ForgotPasswordController.php b/app/Http/Controllers/Auth/ForgotPasswordController.php
index a7322e7e5953..f385c054c691 100644
--- a/app/Http/Controllers/Auth/ForgotPasswordController.php
+++ b/app/Http/Controllers/Auth/ForgotPasswordController.php
@@ -50,14 +50,14 @@ public function getEmailSubject()
      */
     public function sendResetLinkEmail(Request $request)
     {
-
         /**
          * Let's set a max character count here to prevent potential
          * buffer overflow issues with attackers sending very large
-         * payloads through.
+         * payloads through. The addition of the string rule prevents attackers
+         * sending arrays through and causing 500s
          */
         $request->validate([
-            'username' => ['required', 'max:255'],
+            'username' => ['required', 'max:255', 'string'],
         ]);
 
         /**