diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
index a88861a213f2..01099f315829 100644
--- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
+++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
@@ -96,6 +96,7 @@
 import org.hisp.dhis.schema.descriptors.UserSchemaDescriptor;
 import org.hisp.dhis.security.RestoreOptions;
 import org.hisp.dhis.security.SecurityService;
+import org.hisp.dhis.system.util.ValidationUtils;
 import org.hisp.dhis.user.CredentialsInfo;
 import org.hisp.dhis.user.CurrentUser;
 import org.hisp.dhis.user.PasswordValidationResult;
@@ -450,6 +451,10 @@ public WebMessage replicateUser(
       return conflict("Username must be specified");
     }
 
+    if (!ValidationUtils.usernameIsValid(username, false)) {
+      return conflict("Username is not valid");
+    }
+
     if (userService.getUserByUsername(username) != null) {
       return conflict("Username already taken: " + username);
     }