diff --git a/test/functional/SSHKeyDeleteTest.php b/test/functional/SSHKeyDeleteTest.php
new file mode 100644
index 00000000..b5c54240
--- /dev/null
+++ b/test/functional/SSHKeyDeleteTest.php
@@ -0,0 +1,83 @@
+<?php
+
+use PHPUnit\Framework\TestCase;
+use PHPUnit\Framework\Attributes\DataProvider;
+
+class SSHKeyDeleteTest extends TestCase {
+    static $initialKeys;
+
+    public static function setUpBeforeClass(): void{
+        global $USER;
+        switchUser(...getUserWithOneKey());
+        self::$initialKeys = $USER->getSSHKeys(true);
+    }
+
+    private function deleteKey(string $index): void {
+        post(
+            __DIR__ . "/../../webroot/panel/account.php",
+            ["form_type" => "delKey", "delIndex" => $index]
+        );
+    }
+
+    public static function getGarbageIndexArgs()
+    {
+        global $HTTP_HEADER_TEST_INPUTS;
+        return array_map(function($x){return [$x];}, $HTTP_HEADER_TEST_INPUTS);
+    }
+
+    #[DataProvider("getGarbageIndexArgs")]
+    public function testDeleteKeyGarbageInput(string $index)
+    {
+        global $USER;
+        try {
+            $this->deleteKey($index);
+            $this->assertEquals(self::$initialKeys, $USER->getSSHKeys(true));
+        } finally {
+            $USER->setSSHKeys(self::$initialKeys);
+        }
+    }
+
+    public function testDeleteKeyNegativeIndex()
+    {
+        global $USER;
+        try {
+            $this->deleteKey("-1");
+            $this->assertEquals(self::$initialKeys, $USER->getSSHKeys(true));
+        } finally {
+            $USER->setSSHKeys(self::$initialKeys);
+        }
+    }
+
+    public function testDeleteKeyIndexTooLarge()
+    {
+        global $USER;
+        try {
+            $this->deleteKey("99");
+            $this->assertEquals(self::$initialKeys, $USER->getSSHKeys(true));
+        } finally {
+            $USER->setSSHKeys(self::$initialKeys);
+        }
+    }
+
+    public function testDeleteKeyDecimal()
+    {
+        global $USER;
+        try {
+            $this->deleteKey("0.5");
+            $this->assertEquals(self::$initialKeys, $USER->getSSHKeys(true));
+        } finally {
+            $USER->setSSHKeys(self::$initialKeys);
+        }
+    }
+
+    public function testDeleteKey()
+    {
+        global $USER;
+        try {
+            $this->deleteKey("0");
+            $this->assertEquals([], $USER->getSSHKeys(true));
+        } finally {
+            $USER->setSSHKeys(self::$initialKeys);
+        }
+    }
+}
diff --git a/test/phpunit-bootstrap.php b/test/phpunit-bootstrap.php
index 79a22f0c..a53261c5 100644
--- a/test/phpunit-bootstrap.php
+++ b/test/phpunit-bootstrap.php
@@ -104,3 +104,8 @@ function getUserNotPiNotRequestedBecomePiRequestedAccountDeletion()
 {
     return ["user4@org1.test", "foo", "bar", "user4@org1.test"];
 }
+
+function getUserWithOneKey()
+{
+    return ["user5@org2.test", "foo", "bar", "user5@org2.test"];
+}
diff --git a/tools/docker-dev/identity/bootstrap.ldif b/tools/docker-dev/identity/bootstrap.ldif
index 9b5553ff..2846bea7 100644
--- a/tools/docker-dev/identity/bootstrap.ldif
+++ b/tools/docker-dev/identity/bootstrap.ldif
@@ -15313,9 +15313,6 @@ objectclass: top
 objectclass: ldapPublicKey
 sn: Surname
 sshpublickey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClA2207u2KjiExKhcx6luLt5JN0SRCHseeYJwb0MnpEZq5hHvwYsnE1DByjRAlZStbvCMHqrty4VYC7lCT3GEGhPwo7w8an6RaGWSWRvdi54rsa9Cb0uQdNoooBwKq548LQAIl+i54S/Qx+EQDvF4zyTUtSLm7zmC5JJJZ9KujFpAnoXajGd6G6HSvUYP38CIoOxjQoClF6Uz3jwWfysr4BrhdnfQBUqFAhYKFHDCP9HuKvwbHM9aO8fuH7MGPZvtEHjVGoZbt4zW9ROTUWYgo7/XPMmwVjLVAacXJQTK5nOjFD6+8FhWZysYqhaWM+43vRkKMA57mrZIj1LJklcbZ
-sshpublickey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCuQCJmDArk8CSLtEqrlxzP348iAjodsn37Xt1cQ1XADac+jzRGrZZwMlpuVLVhSU9KoTm/0MG39Fe5ympBAKjc7Z/rpDdMvlaW6tV+gmk5/BicNenipnsBJKu7Y0O71dceZiQKLWX2dq8FjZX7HVm+rBlMEwr+Z6SDcOjE9UOkwP1WsKm08vXWCBooVjW3PUy6xB/SS32CCRXCHGXbOwcOWHMz9LpUFjLIFe3AgvRs4/7nEw0tlF68j0tdxNZW3of+reVMHoRqtPugOma09xEPDF62A4x3k0X0/T4RetkbOagA2yvH267XVmuEKJsaoq7NWhvmSvIe4p7FuQqBtCF
-sshpublickey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCv28Tx9L2SGDn+a+ucWFkaVzDq4aGlwnnRmeHLFCgtGE9pqgqo8ee1ICJ6nWYLwkGjNoCwqZm2PdxQh87ATdeLSIwgNrPZ2dq0OcsQmzFahZfR4w2ptVThHGD9VylUzxjiXKPA2zvgGoZTpB8536QbTdX/60gZcqXWZBvsc19wCXXfPhWB8vO7nq+Mc6w09arNMxT5A3g3xlqGcco+XbdHbX/7TBy094yiITiFqHUTzT9PF1uMR50N4C4/IQP/ytqAh3RatOUwqlYaao4rDQ7P5kBBhtLgm6/UzmXSib1ImuDLLRQF/+PmngZh1fv9PsboxF68szuJRXSfP/2antXr
-sshpublickey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpqxgSrofjX44k79wkELSUWIZ0mVKB42HlGoDRtlfQkGAIvKLK3DWeZ9Y/SwIgxqlF7bhUb2zQTJd396996bUV9G/lwxIp9cQfAYAx6TQzUjdc/v9LFrc8RSqctR/MWKS4bZASBoHCl2XYEzVEj/suttqZjMkPN0HsTovCU1b2R0c+KO8x2KpbOxZR19A+kwgzrrJ3XDkGAQ/5QM7eJ+k3rRs9/aKuD2vFRw205Az/hugJkNjaxFecyJfxRV3SOD0rugANof92kgcK0ThuXCbrSvW6aGSIj83g2/jpsCL4mdPQkeKsiZyjVE/X190CTr3t/Dw7Fv8TGz9x0II9wVq1
 uid: user5_org2_test
 uidnumber: 1130
 
diff --git a/webroot/panel/account.php b/webroot/panel/account.php
index 23a7a918..8bd45171 100644
--- a/webroot/panel/account.php
+++ b/webroot/panel/account.php
@@ -55,7 +55,15 @@
             break;
         case "delKey":
             $keys = $USER->getSSHKeys();
-            unset($keys[intval($_POST["delIndex"])]);  // remove key from array
+            $indexStr = $_POST["delIndex"];
+            if (!preg_match("/^[0-9]+$/", $indexStr)) {
+                break;
+            }
+            $index = intval($indexStr);
+            if ($index >= count($keys)) {
+                break;
+            }
+            unset($keys[$index]);  // remove key from array
             $keys = array_values($keys);
 
             $USER->setSSHKeys($keys, $OPERATOR);  // Update user keys