diff --git a/app/Controller/AvatarFileController.php b/app/Controller/AvatarFileController.php
index 99a2cfb96..de5267c3f 100644
--- a/app/Controller/AvatarFileController.php
+++ b/app/Controller/AvatarFileController.php
@@ -65,6 +65,7 @@ class AvatarFileController extends BaseController
     {
         $user_id = $this->request->getIntegerParam('user_id');
         $size = $this->request->getStringParam('size', 48);
+        $hash = $this->request->getStringParam('hash');
 
         if ($size > 100) {
             $this->response->status(400);
@@ -74,6 +75,11 @@ class AvatarFileController extends BaseController
         $filename = $this->avatarFileModel->getFilename($user_id);
         $etag = md5($filename.$size);
 
+        if ($hash !== $etag) {
+            $this->response->status(404);
+            return;
+        }
+
         $this->response->withCache(365 * 86400, $etag);
         $this->response->withContentType('image/png');
 
diff --git a/app/User/Avatar/AvatarFileProvider.php b/app/User/Avatar/AvatarFileProvider.php
index b6486cea6..932de079b 100644
--- a/app/User/Avatar/AvatarFileProvider.php
+++ b/app/User/Avatar/AvatarFileProvider.php
@@ -23,7 +23,7 @@ class AvatarFileProvider extends Base implements AvatarProviderInterface
      */
     public function render(array $user, $size)
     {
-        $url = $this->helper->url->href('AvatarFileController', 'image', array('user_id' => $user['id'], 'hash' => md5($user['avatar_path']), 'size' => $size));
+        $url = $this->helper->url->href('AvatarFileController', 'image', array('user_id' => $user['id'], 'hash' => md5($user['avatar_path'].$size), 'size' => $size));
         $title = $this->helper->text->e($user['name'] ?: $user['username']);
         return '<img src="' . $url . '" alt="' . $title . '" title="' . $title . '">';
     }
diff --git a/tests/units/Formatter/UserMentionFormatterTest.php b/tests/units/Formatter/UserMentionFormatterTest.php
index c42608ab3..0a7854456 100644
--- a/tests/units/Formatter/UserMentionFormatterTest.php
+++ b/tests/units/Formatter/UserMentionFormatterTest.php
@@ -29,7 +29,7 @@ class UserMentionFormatterTest extends Base
         $expected = array(
             array(
                 'value' => 'someone',
-                'html' => '<div class="avatar avatar-20 avatar-inline"><img src="?controller=AvatarFileController&amp;action=image&amp;user_id=1&amp;hash=5acc03af0274414544b9615fb223d925&amp;size=20" alt="Someone" title="Someone"></div> someone <small aria-hidden="true">Someone</small>',
+                'html' => '<div class="avatar avatar-20 avatar-inline"><img src="?controller=AvatarFileController&amp;action=image&amp;user_id=1&amp;hash=871b0146d6689014b79b878c7b120151&amp;size=20" alt="Someone" title="Someone"></div> someone <small aria-hidden="true">Someone</small>',
             ),
             array(
                 'value' => 'somebody',