diff --git a/src/app/spreed-webrtc-server/users.go b/src/app/spreed-webrtc-server/users.go
index 8861a3a1..61fe312e 100644
--- a/src/app/spreed-webrtc-server/users.go
+++ b/src/app/spreed-webrtc-server/users.go
@@ -75,6 +75,9 @@ func (uh *UsersSharedsecretHandler) Validate(snr *SessionNonceRequest, request *
 
 	// Parse UseridCombo.
 	useridCombo := strings.SplitN(snr.UseridCombo, ":", 2)
+	if len(useridCombo) != 2 {
+		return "", errors.New("invalid useridcombo")
+	}
 	expirationString, userid := useridCombo[0], useridCombo[1]
 
 	expiration, err := strconv.ParseInt(expirationString, 10, 64)