diff --git a/app/controllers/experts/avis_controller.rb b/app/controllers/experts/avis_controller.rb
index 14999d869..c7f3bfde4 100644
--- a/app/controllers/experts/avis_controller.rb
+++ b/app/controllers/experts/avis_controller.rb
@@ -129,6 +129,14 @@ module Experts
       procedure_id = params[:procedure_id]
       avis_id = params[:id]
       email = params[:email]
+
+      avis = Avis.joins(:procedure, expert: :user)
+        .find_by(id: avis_id, procedure: { id: procedure_id }, user: { email: })
+
+      if avis.nil?
+        return redirect_to root_path, alert: "Vous n’avez pas accès à cet avis."
+      end
+
       password = params[:user][:password]
 
       user = User.create_or_promote_to_expert(email, password)
diff --git a/spec/controllers/experts/avis_controller_spec.rb b/spec/controllers/experts/avis_controller_spec.rb
index 56865796e..5f030bb41 100644
--- a/spec/controllers/experts/avis_controller_spec.rb
+++ b/spec/controllers/experts/avis_controller_spec.rb
@@ -560,13 +560,17 @@ describe Experts::AvisController, type: :controller do
     end
 
     describe '#update_expert' do
+      let(:avis_id) { avis.id }
+      let(:email) { avis.expert.email }
+      let(:password) { SECURE_PASSWORD }
+
       subject do
         post :update_expert, params: {
-          id: avis.id,
+          id: avis_id,
           procedure_id:,
-          email: avis.expert.email,
+          email:,
           user: {
-            password: SECURE_PASSWORD
+            password:
           }
         }
       end
@@ -588,6 +592,34 @@ describe Experts::AvisController, type: :controller do
         it { is_expected.to redirect_to expert_all_avis_path }
       end
 
+      context 'with a random avis, procedure and user' do
+        let(:avis_id) { create(:avis).id }
+        let(:random_user) { create(:user) }
+        let(:email) { random_user.email }
+
+        it 'doesn’t change the random user password' do
+          expect(random_user.reload.valid_password?(password)).to be false
+          subject
+          expect(random_user.reload.valid_password?(password)).to be false
+          expect(flash[:alert]).to eq("Vous n’avez pas accès à cet avis.")
+        end
+      end
+
+      context 'with a matching avis procedure, and a random user' do
+        let(:avis) { create(:avis) }
+        let(:avis_id) { avis.id }
+        let(:procedure_id) { avis.procedure.id }
+        let(:random_user) { create(:user) }
+        let(:email) { random_user.email }
+
+        it 'doesn’t change the random user password' do
+          expect(random_user.reload.valid_password?(password)).to be false
+          subject
+          expect(random_user.reload.valid_password?(password)).to be false
+          expect(flash[:alert]).to eq("Vous n’avez pas accès à cet avis.")
+        end
+      end
+
       context 'when the expert has already signed up' do
         before { expert.user.update(last_sign_in_at: Time.zone.now) }