diff --git a/password.php b/password.php
index c0ad396e2..6f6af3260 100644
--- a/password.php
+++ b/password.php
@@ -37,6 +37,8 @@ check_status(ACCESS_FREE);
 
 trigger_notify('loc_begin_password');
 
+check_input_parameter('action', $_GET, false, '/^(lost|reset|none)$/');
+
 // +-----------------------------------------------------------------------+
 // | Functions                                                             |
 // +-----------------------------------------------------------------------+