diff --git a/apps/dav/lib/Connector/Sabre/Auth.php b/apps/dav/lib/Connector/Sabre/Auth.php
index 5c5bbe8f355ce..20f5f817f7be8 100644
--- a/apps/dav/lib/Connector/Sabre/Auth.php
+++ b/apps/dav/lib/Connector/Sabre/Auth.php
@@ -81,6 +81,9 @@ protected function validateUserPass($username, $password) {
 			$this->session->close();
 			return true;
 		} else {
+			if ($username === '' || $password === '') {
+				return false;
+			}
 			try {
 				if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
 					$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
diff --git a/apps/dav/tests/unit/Connector/Sabre/AuthTest.php b/apps/dav/tests/unit/Connector/Sabre/AuthTest.php
index e05c46705652c..32ef2dbe29485 100644
--- a/apps/dav/tests/unit/Connector/Sabre/AuthTest.php
+++ b/apps/dav/tests/unit/Connector/Sabre/AuthTest.php
@@ -206,6 +206,14 @@ public function testValidateUserPassWithPasswordLoginForbidden(): void {
 		self::invokePrivate($this->auth, 'validateUserPass', ['MyTestUser', 'MyTestPassword']);
 	}
 
+	public function testValidateUserPassReturnsFalseWithEmptyUsernameAndPassword(): void {
+		$this->userSession
+			->expects($this->never())
+			->method('logClientIn');
+		
+		$this->assertFalse(self::invokePrivate($this->auth, 'validateUserPass', ['', '']));
+	}
+
 	public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenForNonGet(): void {
 		$request = $this->createMock(RequestInterface::class);
 		$response = $this->createMock(ResponseInterface::class);