diff --git a/config/config.go b/config/config.go
index 294f5cf87..d79ab65c5 100644
--- a/config/config.go
+++ b/config/config.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/netip"
 	"net/url"
+	"path/filepath"
 	"strings"
 	"time"
 	_ "unsafe"
@@ -759,6 +760,9 @@ func parseController(cfg *RawConfig) (*Controller, error) {
 	if path := cfg.ExternalUI; path != "" && !C.Path.IsSafePath(path) {
 		return nil, C.Path.ErrNotSafePath(path)
 	}
+	if uiName := cfg.ExternalUIName; uiName != "" && !filepath.IsLocal(uiName) {
+		return nil, fmt.Errorf("external UI name is not local: %s", uiName)
+	}
 	return &Controller{
 		ExternalController:     cfg.ExternalController,
 		ExternalUI:             cfg.ExternalUI,