diff --git a/reg-tests/http-messaging/protocol_upgrade.vtc b/reg-tests/http-messaging/protocol_upgrade.vtc
index be291f18c50a3..209d404fa03b7 100644
--- a/reg-tests/http-messaging/protocol_upgrade.vtc
+++ b/reg-tests/http-messaging/protocol_upgrade.vtc
@@ -252,4 +252,28 @@ client c7_h2c -connect ${hap_frt_h1_h2c_sock} {
 
 	rxresp
 	expect resp.status == 200
+}
+
+# extended connect with invalid "h2c" protocol
+client c8_h2c -connect ${hap_frt_h2_h1_sock} {
+	txpri
+	stream 0 {
+		txsettings
+		rxsettings
+		txsettings -ack
+		rxsettings
+		expect settings.ack == true
+	} -run
+
+	stream 1 {
+		txreq \
+		  -req "CONNECT" \
+		  -scheme "http" \
+		  -url "/" \
+		  -hdr ":authority" "127.0.0.1" \
+		  -hdr ":protocol" "h2c"
+
+		rxrst
+		expect rst.err == 1
+	} -run
 } -run
diff --git a/src/h2.c b/src/h2.c
index 9c60cc6b30b01..c2b41a8485dad 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -460,6 +460,12 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
 	}
 
 	if (*msgf & H2_MSGF_EXT_CONNECT) {
+		/* Consider "h2c" / "h2" as invalid protocol value for Extended CONNECT. */
+		if (isteqi(phdr_val[H2_PHDR_IDX_PROT], ist("h2c")) ||
+		    isteqi(phdr_val[H2_PHDR_IDX_PROT], ist("h2"))) {
+			goto fail;
+		}
+
 		if (!htx_add_header(htx, ist("upgrade"), phdr_val[H2_PHDR_IDX_PROT]))
 			goto fail;
 		if (!htx_add_header(htx, ist("connection"), ist("upgrade")))