diff --git a/internal/v3/api/release.go b/internal/v3/api/release.go
index 293fb72..1f0284c 100644
--- a/internal/v3/api/release.go
+++ b/internal/v3/api/release.go
@@ -121,6 +121,14 @@ func (s *ReleaseOperationsApi) GetFile(ctx context.Context, filename string) (ge
 		}), nil
 	}
 
+	// Validate the filename to ensure it does not contain any path separators or parent directory references
+	if strings.Contains(filename, "/") || strings.Contains(filename, "\\") || strings.Contains(filename, "..") {
+		return gen.Response(400, gen.GetFile400Response{
+			Message: "Invalid filename",
+			Errors:  []string{"filename contains invalid characters"},
+		}), nil
+	}
+
 	releaseSlug := strings.TrimSuffix(filename, ".tar.gz")
 	if !utils.CheckReleaseSlug(releaseSlug) {
 		return gen.Response(400, gen.GetFile400Response{