diff --git a/src/api/bkuser_core/api/login/views.py b/src/api/bkuser_core/api/login/views.py
index 5fad78066..e0429b050 100644
--- a/src/api/bkuser_core/api/login/views.py
+++ b/src/api/bkuser_core/api/login/views.py
@@ -356,7 +356,11 @@ def batch_query(self, request):
         domain_username_map = defaultdict(list)
 
         for x in username_list:
-            username, domain = parse_username_domain(x)
+            try:
+                username, domain = parse_username_domain(x)
+            except Exception:
+                raise error_codes.USERNAME_FORMAT_ERROR
+
             if not domain:
                 # default domain
                 domain = ProfileCategory.objects.get_default().domain
diff --git a/src/api/bkuser_core/api/web/password/views.py b/src/api/bkuser_core/api/web/password/views.py
index 534cc1f62..83d67956c 100644
--- a/src/api/bkuser_core/api/web/password/views.py
+++ b/src/api/bkuser_core/api/web/password/views.py
@@ -133,7 +133,11 @@ def post(self, request, *args, **kwargs):
         # SaaS 修改密码页面需要登录态, 登录用户即operator
         username = get_operator(request)
         # 注意, 这里的username是带域的
-        username, domain = parse_username_domain(username)
+        try:
+            username, domain = parse_username_domain(username)
+        except Exception:
+            raise error_codes.USERNAME_FORMAT_ERROR
+
         if not domain:
             domain = ProfileCategory.objects.get(default=True).domain
         instance = Profile.objects.get(username=username, domain=domain)
@@ -187,7 +191,11 @@ def get(self, request, *args, **kwargs):
         else:
             # 兼容登录态的change_password页面获取目录密码配置
             username = get_operator(request)
-            username, domain = parse_username_domain(username)
+            try:
+                username, domain = parse_username_domain(username)
+            except Exception:
+                raise error_codes.USERNAME_FORMAT_ERROR
+
             if not domain:
                 domain = ProfileCategory.objects.get(default=True).domain
             try:
@@ -216,6 +224,7 @@ def post(self, request, *args, **kwargs):
         try:
             # 优先过滤username
             username, domain = parse_username_domain(input_telephone)
+
             if not domain:
                 domain = ProfileCategory.objects.get_default().domain
             # filter过滤，判断是否存在，存在则仅有一个
@@ -248,6 +257,10 @@ def post(self, request, *args, **kwargs):
             logger.exception("this telephone<%s> had bound to multi profiles", input_telephone)
             raise error_codes.TELEPHONE_BOUND_TO_MULTI_PROFILE
 
+        except Exception:
+            logger.exception("failed to get profile by username<%s> because of username format error", input_telephone)
+            raise error_codes.USERNAME_FORMAT_ERROR
+
         # 生成verification_code_token
         verification_code_token = ResetPasswordVerificationCodeHandler().generate_reset_password_token(profile.id)
         raw_telephone = profile.telephone
diff --git a/src/api/bkuser_core/api/web/profile/views.py b/src/api/bkuser_core/api/web/profile/views.py
index 50434a625..f6885140c 100644
--- a/src/api/bkuser_core/api/web/profile/views.py
+++ b/src/api/bkuser_core/api/web/profile/views.py
@@ -61,8 +61,11 @@ def get(self, request, *args, **kwargs):
 
         data = slz.validated_data
         username = data["username"]
+        try:
+            username, domain = parse_username_domain(username)
+        except Exception:
+            raise error_codes.USERNAME_FORMAT_ERROR
 
-        username, domain = parse_username_domain(username)
         if not domain:
             domain = ProfileCategory.objects.get(default=True).domain