diff --git a/api/v4/source/preferences.yaml b/api/v4/source/preferences.yaml
index 49560516607f..9a4c24bc493e 100644
--- a/api/v4/source/preferences.yaml
+++ b/api/v4/source/preferences.yaml
@@ -59,6 +59,8 @@
               type: array
               items:
                 $ref: '#/components/schemas/Preference'
+              minItems: 1
+              maxItems: 100
       responses:
         "200":
           description: User preferences saved successful
@@ -102,6 +104,8 @@
               type: array
               items:
                 $ref: '#/components/schemas/Preference'
+              minItems: 1
+              maxItems: 100
       responses:
         "200":
           description: User preferences saved successful
diff --git a/server/channels/api4/preference.go b/server/channels/api4/preference.go
index c9e61b50c076..c17b0f0d727c 100644
--- a/server/channels/api4/preference.go
+++ b/server/channels/api4/preference.go
@@ -12,6 +12,8 @@ import (
 	"github.com/mattermost/mattermost/server/v8/channels/audit"
 )
 
+const maxUpdatePreferences = 100
+
 func (api *API) InitPreference() {
 	api.BaseRoutes.Preferences.Handle("", api.APISessionRequired(getPreferences)).Methods("GET")
 	api.BaseRoutes.Preferences.Handle("", api.APISessionRequired(updatePreferences)).Methods("PUT")
@@ -101,8 +103,12 @@ func updatePreferences(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	var preferences model.Preferences
-	if jsonErr := json.NewDecoder(r.Body).Decode(&preferences); jsonErr != nil {
-		c.SetInvalidParamWithErr("preferences", jsonErr)
+	err := model.StructFromJSONLimited(r.Body, *c.App.Config().ServiceSettings.MaximumPayloadSizeBytes, &preferences)
+	if err != nil {
+		c.SetInvalidParamWithErr("preferences", err)
+		return
+	} else if len(preferences) == 0 || len(preferences) > maxUpdatePreferences {
+		c.SetInvalidParam("preferences")
 		return
 	}
 
@@ -149,8 +155,12 @@ func deletePreferences(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	var preferences model.Preferences
-	if jsonErr := json.NewDecoder(r.Body).Decode(&preferences); jsonErr != nil {
-		c.SetInvalidParamWithErr("preferences", jsonErr)
+	err := model.StructFromJSONLimited(r.Body, *c.App.Config().ServiceSettings.MaximumPayloadSizeBytes, &preferences)
+	if err != nil {
+		c.SetInvalidParamWithErr("preferences", err)
+		return
+	} else if len(preferences) == 0 || len(preferences) > maxUpdatePreferences {
+		c.SetInvalidParam("preferences")
 		return
 	}
 
diff --git a/server/channels/api4/preference_test.go b/server/channels/api4/preference_test.go
index 5f41afd3f21d..64ae7d6f9dc6 100644
--- a/server/channels/api4/preference_test.go
+++ b/server/channels/api4/preference_test.go
@@ -258,6 +258,42 @@ func TestUpdatePreferences(t *testing.T) {
 	CheckUnauthorizedStatus(t, resp)
 }
 
+func TestUpdatePreferencesOverload(t *testing.T) {
+	th := Setup(t).InitBasic()
+	defer th.TearDown()
+	client := th.Client
+
+	th.LoginBasic()
+	user1 := th.BasicUser
+
+	t.Run("No preferences", func(t *testing.T) {
+		preferences1 := model.Preferences{}
+		// should error if no preferences
+		resp, err := client.UpdatePreferences(context.Background(), user1.Id, preferences1)
+		require.Error(t, err)
+		CheckErrorID(t, err, "api.context.invalid_body_param.app_error")
+		CheckBadRequestStatus(t, resp)
+	})
+
+	t.Run("Too many preferences", func(t *testing.T) {
+		preferences1 := model.Preferences{}
+		category := model.NewId()
+		// should error if too many preferences
+		for i := 0; i <= 100; i++ {
+			preferences1 = append(preferences1, model.Preference{
+				UserId:   user1.Id,
+				Category: category,
+				Name:     model.NewId(),
+				Value:    model.NewId(),
+			})
+		}
+		resp, err := client.UpdatePreferences(context.Background(), user1.Id, preferences1)
+		require.Error(t, err)
+		CheckErrorID(t, err, "api.context.invalid_body_param.app_error")
+		CheckBadRequestStatus(t, resp)
+	})
+}
+
 func TestUpdatePreferencesWebsocket(t *testing.T) {
 	th := Setup(t).InitBasic()
 	defer th.TearDown()
@@ -590,6 +626,42 @@ func TestDeletePreferences(t *testing.T) {
 	CheckUnauthorizedStatus(t, resp)
 }
 
+func TestDeletePreferencesOverload(t *testing.T) {
+	th := Setup(t).InitBasic()
+	defer th.TearDown()
+	client := th.Client
+
+	th.LoginBasic()
+	user1 := th.BasicUser
+
+	t.Run("No preferences", func(t *testing.T) {
+		preferences1 := model.Preferences{}
+		// should error if no preferences
+		resp, err := client.DeletePreferences(context.Background(), user1.Id, preferences1)
+		require.Error(t, err)
+		CheckErrorID(t, err, "api.context.invalid_body_param.app_error")
+		CheckBadRequestStatus(t, resp)
+	})
+
+	t.Run("Too many preferences", func(t *testing.T) {
+		category := model.NewId()
+		preferences1 := model.Preferences{}
+		// should error if too many preferences
+		for i := 0; i <= 100; i++ {
+			preferences1 = append(preferences1, model.Preference{
+				UserId:   user1.Id,
+				Category: category,
+				Name:     model.NewId(),
+				Value:    model.NewId(),
+			})
+		}
+		resp, err := client.DeletePreferences(context.Background(), user1.Id, preferences1)
+		require.Error(t, err)
+		CheckErrorID(t, err, "api.context.invalid_body_param.app_error")
+		CheckBadRequestStatus(t, resp)
+	})
+}
+
 func TestDeletePreferencesWebsocket(t *testing.T) {
 	th := Setup(t).InitBasic()
 	defer th.TearDown()