diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5c379dbc2f..af0f708510 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## v5.0.2
 - Bump Ruby to v3.1.4 and use `.ruby-version` in CI [#3566](https://github.com/DMPRoadmap/roadmap/pull/3566)
 - Enable session timeout after 90 minutes of inactivity [#3568](https://github.com/DMPRoadmap/roadmap/pull/3568)
+- Validate CSV Separator [#3569](https://github.com/DMPRoadmap/roadmap/pull/3569)
 
 ## v5.0.1
 - Updated seeds.rb file for identifier_schemes to include context value and removed logo_url and idenitifier_prefix for Shibboleth (as it was causing issues with SSO). [#3525](https://github.com/DMPRoadmap/roadmap/pull/3525)
diff --git a/app/controllers/usage_controller.rb b/app/controllers/usage_controller.rb
index bf373aee17..f489a30130 100644
--- a/app/controllers/usage_controller.rb
+++ b/app/controllers/usage_controller.rb
@@ -151,9 +151,14 @@ def parse_filtered
     params[:filtered].present? && params[:filtered] == 'true'
   end
 
-  # set the csv separator or default to comma
+  # This sets the csv separator
+  # Ensures separator is either a comma or a safe separator
   def sep_param
-    params['sep'] || ','
+    safe_csv_separators = Rails.configuration.x.application.csv_separators
+    sep = params['sep'].to_s
+    return sep if safe_csv_separators.include?(sep)
+
+    ','
   end
 
   def min_max_dates(args:)