diff --git a/hc/api/tests/test_update_check.py b/hc/api/tests/test_update_check.py
index d21ed8e0..70ae0399 100644
--- a/hc/api/tests/test_update_check.py
+++ b/hc/api/tests/test_update_check.py
@@ -152,6 +152,17 @@ class UpdateCheckTestCase(BaseTestCase):
         self.check.refresh_from_db()
         self.assertEqual(self.check.channel_set.count(), 0)
 
+    def test_it_rejects_non_uuid_channel_code(self):
+        r = self.post(self.check.code, {
+            "api_key": "X" * 32,
+            "channels": "foo"
+        })
+
+        self.assertEqual(r.status_code, 400)
+
+        self.check.refresh_from_db()
+        self.assertEqual(self.check.channel_set.count(), 0)
+
     def test_it_rejects_non_string_channels_key(self):
         r = self.post(self.check.code, {
             "api_key": "X" * 32,
diff --git a/hc/api/views.py b/hc/api/views.py
index 7d1024fc..61e9429f 100644
--- a/hc/api/views.py
+++ b/hc/api/views.py
@@ -1,4 +1,5 @@
 from datetime import timedelta as td
+import uuid
 
 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
@@ -87,6 +88,11 @@ def _update(check, spec):
         else:
             channels = []
             for chunk in spec["channels"].split(","):
+                try:
+                    chunk = uuid.UUID(chunk)
+                except ValueError:
+                    raise SuspiciousOperation("Invalid channel identifier")
+
                 try:
                     channel = Channel.objects.get(code=chunk)
                     channels.append(channel)