diff --git a/routes/task_routes.py b/routes/task_routes.py
index 66049237d..38513b677 100644
--- a/routes/task_routes.py
+++ b/routes/task_routes.py
@@ -497,6 +497,15 @@ def setup_task_routes(task_scheduler) -> APIRouter:
                 else bool(req.notifications_enabled) if req.notifications_enabled is not None
                 else True
             )
+            # Validate chained task belongs to same owner
+            if req.then_task_id:
+                chain_target = db.query(ScheduledTask).filter(
+                    ScheduledTask.id == req.then_task_id
+                ).first()
+                if not chain_target:
+                    raise HTTPException(400, "Chained task not found")
+                if chain_target.owner != user:
+                    raise HTTPException(403, "Cannot chain to another user's task")
             task = ScheduledTask(
                 id=task_id,
                 owner=user,
@@ -671,6 +680,14 @@ def setup_task_routes(task_scheduler) -> APIRouter:
             if req.trigger_count is not None:
                 task.trigger_count = req.trigger_count
             if req.then_task_id is not None:
+                if req.then_task_id:
+                    chain_target = db.query(ScheduledTask).filter(
+                        ScheduledTask.id == req.then_task_id
+                    ).first()
+                    if not chain_target:
+                        raise HTTPException(400, "Chained task not found")
+                    if chain_target.owner != user:
+                        raise HTTPException(403, "Cannot chain to another user's task")
                 task.then_task_id = req.then_task_id or None
             if req.notifications_enabled is not None:
                 task.notifications_enabled = bool(req.notifications_enabled)