diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 0a467fba42b..95c982c597c 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -211,6 +211,10 @@ class GroupsController < ApplicationController
       raise Discourse::InvalidParameters.new(:limit)
     end
 
+    if limit > 1000
+      raise Discourse::InvalidParameters.new(:limit)
+    end
+
     if offset < 0
       raise Discourse::InvalidParameters.new(:offset)
     end
diff --git a/spec/requests/groups_controller_spec.rb b/spec/requests/groups_controller_spec.rb
index 83acf8892d4..6e6ae849b6d 100644
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@@ -351,6 +351,9 @@ describe GroupsController do
 
       get "/groups/#{group.name}/members.json?offset=-1"
       expect(response.status).to eq(400)
+
+      get "/groups/trust_level_0/members.json?limit=2000"
+      expect(response.status).to eq(400)
     end
 
     it "ensures the group can be seen" do