diff --git a/src/PMG/API2/Users.pm b/src/PMG/API2/Users.pm
index 132783d..1cc7a33 100644
--- a/src/PMG/API2/Users.pm
+++ b/src/PMG/API2/Users.pm
@@ -126,6 +126,8 @@ __PACKAGE__->register_method ({
 	    my ($userid, $username, $realm) = PMG::Utils::verify_username($entry->{userid});
 	    die "invalid realm '$realm' in userid\n" if !PMG::Auth::Plugin::is_valid_realm($realm);
 
+	    die "'@' forbidden in username\n" if $username =~/@/;
+
 	    if ($entry->{realm}) {
 		die "realm parameter does not fit userid ('$entry->{realm}' != '$realm')\n"
 		    if $entry->{realm} ne $realm;
diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index 70e8317..3e7adbb 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -49,7 +49,7 @@ postgres_admin_cmd
 try_decode_utf8
 );
 
-my $user_regex = qr![^\s:@/]+!;
+my $user_regex = qr![^\s:/]+!;
 
 PVE::JSONSchema::register_standard_option('pmg-starttime', {
     description => "Only consider entries newer than 'starttime' (unix epoch). Default is 'now - 1day'.",