diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php
index 95778eff366..97d94ecb407 100644
--- a/apps/provisioning_api/lib/Controller/UsersController.php
+++ b/apps/provisioning_api/lib/Controller/UsersController.php
@@ -246,6 +246,13 @@ class UsersController extends AUserData {
 		if ($currentUser === null) {
 			return new DataResponse(['users' => []]);
 		}
+		if ($limit !== null && $limit < 0) {
+			throw new InvalidArgumentException("Invalid limit value: $limit");
+		}
+		if ($offset < 0) {
+			throw new InvalidArgumentException("Invalid offset value: $offset");
+		}
+
 		$users = [];
 
 		// Admin? Or SubAdmin?