diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 01f365cb228592c4be91a5e91228313353f3453c..0065ebbb88868a565e8c5b8fce84f4507f251175 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -1,8 +1,9 @@
 class MediaController < ApplicationController
   skip_before_action :authenticate_user!
 
+  before_action :load_blob
+
   def show
-    @blob = ActiveStorage::Blob.find_signed! params[:signed_id]
     @size = @blob.byte_size
     if @blob.variable?
       variant_service = VariantService.compute(@blob, params[:filename_with_transformations], params[:format])
@@ -20,4 +21,14 @@ class MediaController < ApplicationController
     response.headers["Content-Length"] = "#{@size}"
     redirect_to blob_or_variant_url
   end
+
+  protected
+
+  def load_blob
+    begin
+      @blob = ActiveStorage::Blob.find_signed! params[:signed_id]
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      raise ActiveRecord::RecordNotFound
+    end
+  end
 end