diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b883cb7674..45ddf6309e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -6,6 +6,8 @@ class ApplicationController < ActionController::Base
   MAX_STORED_URL_LENGTH = 1024
 
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+  rescue_from ActionDispatch::Http::Parameters::ParseError, with: :bad_request
+  rescue_from ActionController::ParameterMissing, with: :bad_request
 
   protect_from_forgery with: :null_session
 
@@ -120,6 +122,12 @@ def user_not_authorized
     end
   end
 
+  def bad_request
+    # rubocop:disable Rails/RenderInline
+    render status: :bad_request, inline: 'Bad request'
+    # rubocop:enable Rails/RenderInline
+  end
+
   def set_locale
     helpers.locale = params[:locale] || current_user&.lang || I18n.default_locale
   end
diff --git a/test/controllers/submissions_controller_test.rb b/test/controllers/submissions_controller_test.rb
index 048009a761..596f707660 100644
--- a/test/controllers/submissions_controller_test.rb
+++ b/test/controllers/submissions_controller_test.rb
@@ -135,13 +135,18 @@ class SubmissionsControllerTest < ActionDispatch::IntegrationTest
     assert_response :unprocessable_entity
   end
 
-  test 'create submission should respond bad_request without an exercise' do
+  test 'create submission should respond unprocessable_entity without an exercise' do
     attrs = generate_attr_hash
     attrs.delete(:exercise_id)
     create_request(attr_hash: attrs)
     assert_response :unprocessable_entity
   end
 
+  test 'create submission should respond bad_request without a hash' do
+    post submissions_url
+    assert_response :bad_request
+  end
+
   test 'create submission within course' do
     attrs = generate_attr_hash
     course = courses(:course1)