diff --git a/src/routes/groups.js b/src/routes/groups.js
index 493c1f3ec..65ec092cc 100644
--- a/src/routes/groups.js
+++ b/src/routes/groups.js
@@ -62,6 +62,7 @@ function updateMembers(req, res, next) {
 
     if (!req.body.userIds) return next(new HttpError(404, 'missing or invalid userIds fields'));
     if (!Array.isArray(req.body.userIds)) return next(new HttpError(404, 'userIds must be an array'));
+    if (req.body.userIds.some((u) => typeof u !== 'string')) return next(new HttpError(400, 'userIds array must contain strings'));
 
     groups.setMembers(req.params.groupId, req.body.userIds, function (error) {
         if (error) return next(BoxError.toHttpError(error));