diff --git a/CHANGELOG.md b/CHANGELOG.md
index d5e8c2ff..853d00a9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,9 @@
 # CHANGELOG.md
 
 ## unreleased
- - Fixed a bug where the single-sign-on oidc code would generate an unbounded amount of cookies when receiving many unauthenticated requests in sequence. 
+
+- Fixed a bug where the single-sign-on oidc code would generate an unbounded amount of cookies when receiving many unauthenticated requests in sequence. 
+- Fix: invalid UTF-8 in multipart text fields now returns `400 Bad Request` instead of `500 Internal Server Error`.
 
 ## 0.43.0
 
diff --git a/src/webserver/http_request_info.rs b/src/webserver/http_request_info.rs
index 0ddfd707..4f8c57bb 100644
--- a/src/webserver/http_request_info.rs
+++ b/src/webserver/http_request_info.rs
@@ -273,7 +273,14 @@ async fn extract_text(
         .await
         .map(|bytes| bytes.data)
         .map_err(|e| anyhow!("failed to read form field data: {e}"))?;
-    Ok(String::from_utf8(data.to_vec())?)
+    String::from_utf8(data.to_vec()).map_err(|e| {
+        anyhow!(super::ErrorWithStatus {
+            status: actix_web::http::StatusCode::BAD_REQUEST,
+        })
+        .context(format!(
+            "could not parse multipart form field as utf-8 text: {e}"
+        ))
+    })
 }
 
 async fn extract_file(
diff --git a/tests/requests/mod.rs b/tests/requests/mod.rs
index ad6791bb..6851cecb 100644
--- a/tests/requests/mod.rs
+++ b/tests/requests/mod.rs
@@ -188,4 +188,34 @@ async fn test_variables_function() -> actix_web::Result<()> {
     Ok(())
 }
 
+#[actix_web::test]
+async fn test_invalid_utf8_multipart_text_field_returns_bad_request() -> actix_web::Result<()> {
+    let req = get_request_to("/tests/requests/variables.sql")
+        .await?
+        .insert_header(("content-type", "multipart/form-data; boundary=1234567890"))
+        .set_payload(
+            b"--1234567890\r\n\
+            Content-Disposition: form-data; name=\"x\"\r\n\
+            Content-Type: text/plain\r\n\
+            \r\n\
+            \xff\r\n\
+            --1234567890--\r\n"
+                .as_slice(),
+        )
+        .to_srv_request();
+    let status = match main_handler(req).await {
+        Ok(resp) => resp.status(),
+        Err(err) => err.as_response_error().status_code(),
+    };
+
+    assert_eq!(
+        status,
+        StatusCode::BAD_REQUEST,
+        "assertion error, expected 400 bad request on invalid utf8 payload, got {}",
+        status
+    );
+
+    Ok(())
+}
+
 mod webhook_hmac;