diff --git a/clientapi/routing/profile.go b/clientapi/routing/profile.go
index 859fe220d..4d9e1f8a5 100644
--- a/clientapi/routing/profile.go
+++ b/clientapi/routing/profile.go
@@ -119,6 +119,13 @@ func SetAvatarURL(
 		return jsonerror.InternalServerError()
 	}
 
+	if !cfg.Matrix.IsLocalServerName(domain) {
+		return util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: jsonerror.Forbidden("userID does not belong to a locally configured domain"),
+		}
+	}
+
 	evTime, err := httputil.ParseTSParam(req)
 	if err != nil {
 		return util.JSONResponse{
@@ -211,6 +218,13 @@ func SetDisplayName(
 		return jsonerror.InternalServerError()
 	}
 
+	if !cfg.Matrix.IsLocalServerName(domain) {
+		return util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: jsonerror.Forbidden("userID does not belong to a locally configured domain"),
+		}
+	}
+
 	evTime, err := httputil.ParseTSParam(req)
 	if err != nil {
 		return util.JSONResponse{
diff --git a/userapi/internal/api.go b/userapi/internal/api.go
index 4f5537383..9d84db3a4 100644
--- a/userapi/internal/api.go
+++ b/userapi/internal/api.go
@@ -548,6 +548,9 @@ func (a *UserInternalAPI) PerformAccountDeactivation(ctx context.Context, req *a
 	if serverName == "" {
 		serverName = a.Config.Matrix.ServerName
 	}
+	if !a.Config.Matrix.IsLocalServerName(serverName) {
+		return fmt.Errorf("server name %q not locally configured", serverName)
+	}
 
 	evacuateReq := &rsapi.PerformAdminEvacuateUserRequest{
 		UserID: fmt.Sprintf("@%s:%s", req.Localpart, serverName),