diff --git a/Classes/Controller/FormController.php b/Classes/Controller/FormController.php
index d1a90d50a..3a61a024d 100644
--- a/Classes/Controller/FormController.php
+++ b/Classes/Controller/FormController.php
@@ -299,6 +299,9 @@ public function initializeCreateAction(): void
      */
     public function createAction(Mail $mail, string $hash = ''): ResponseInterface
     {
+        if ($mail->getUid() !== null && !HashUtility::isHashValid($hash, $mail)) {
+            return (new ForwardResponse('form'))->withoutArguments();
+        }
         $event = GeneralUtility::makeInstance(FormControllerCreateActionBeforeRenderViewEvent::class, $mail, $hash, $this);
         $this->eventDispatcher->dispatch($event);
         $mail = $event->getMail();