diff --git a/app/api/webdav/[...path]/route.ts b/app/api/webdav/[...path]/route.ts
index bb7743bda..14998b6e2 100644
--- a/app/api/webdav/[...path]/route.ts
+++ b/app/api/webdav/[...path]/route.ts
@@ -62,7 +62,12 @@ async function handle(
     endpoint += "/";
   }
 
-  const endpointPath = params.path.join("/");
+  // Sanitize path components to prevent path traversal attacks
+  const sanitizedPathComponents = params.path
+    .filter(component => component && component !== '.' && component !== '..')
+    .map(component => encodeURIComponent(component));
+  
+  const endpointPath = sanitizedPathComponents.join("/");
   const targetPath = `${endpoint}${endpointPath}`;
 
   // only allow MKCOL, GET, PUT