diff --git a/backend/webui_service/middleware.go b/backend/webui_service/middleware.go
index b4f2107d9623567bac6f6f0dd7a473a8289984f5..a2170509ab16106b893979d500a7a2dac97be0fd 100644
--- a/backend/webui_service/middleware.go
+++ b/backend/webui_service/middleware.go
@@ -1,6 +1,9 @@
 package webui_service
 
 import (
+	"path/filepath"
+	"strings"
+
 	"github.com/gin-gonic/gin"
 )
 
@@ -14,9 +17,19 @@ func ReturnPublic() gin.HandlerFunc {
 			if destPath[len(destPath)-1] == '/' {
 				destPath = destPath[:len(destPath)-1]
 			}
+			destPath = verifyDestPath(destPath)
 			context.File(destPath)
 		} else {
 			context.Next()
 		}
 	}
 }
+
+func verifyDestPath(requestedURI string) string {
+	destPath := filepath.Clean(requestedURI)
+	// if destPath contains ".." then it is not a valid path
+	if strings.Contains(destPath, "..") {
+		return PublicPath
+	}
+	return destPath
+}