diff --git a/CHANGELOG.md b/CHANGELOG.md
index fe1f3f3280..26b85f01c7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Remove Auto-Generated TinyMCE Skins and Add `public/tinymce/skins/` to `.gitignore` [#3466](https://github.com/DMPRoadmap/roadmap/pull/3466)
 - Re-implement email confirmation [#3507](https://github.com/DMPRoadmap/roadmap/pull/3507)
 - Update `spec/support/faker.rb` to use `I18n.default_locale` [#3507](https://github.com/DMPRoadmap/roadmap/pull/3507)
+- Properly validate CSV Separator [#3557](https://github.com/DMPRoadmap/roadmap/pull/3557)
 
 ## v5.0.0
 
diff --git a/app/controllers/usage_controller.rb b/app/controllers/usage_controller.rb
index bf373aee17..f489a30130 100644
--- a/app/controllers/usage_controller.rb
+++ b/app/controllers/usage_controller.rb
@@ -151,9 +151,14 @@ def parse_filtered
     params[:filtered].present? && params[:filtered] == 'true'
   end
 
-  # set the csv separator or default to comma
+  # This sets the csv separator
+  # Ensures separator is either a comma or a safe separator
   def sep_param
-    params['sep'] || ','
+    safe_csv_separators = Rails.configuration.x.application.csv_separators
+    sep = params['sep'].to_s
+    return sep if safe_csv_separators.include?(sep)
+
+    ','
   end
 
   def min_max_dates(args:)