diff --git a/src/Api/Controllers/AccountsController.cs b/src/Api/Controllers/AccountsController.cs
index 01872caac0..e253b94d01 100644
--- a/src/Api/Controllers/AccountsController.cs
+++ b/src/Api/Controllers/AccountsController.cs
@@ -64,6 +64,11 @@ namespace Bit.Api.Controllers
         public async Task PostEmailToken([FromBody]EmailTokenRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
             {
                 await Task.Delay(2000);
@@ -78,6 +83,11 @@ namespace Bit.Api.Controllers
         public async Task PutEmail([FromBody]EmailRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             var result = await _userService.ChangeEmailAsync(user, model.MasterPasswordHash, model.NewEmail,
                 model.NewMasterPasswordHash, model.Token, model.Key);
             if(result.Succeeded)
@@ -99,6 +109,11 @@ namespace Bit.Api.Controllers
         public async Task PutPassword([FromBody]PasswordRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             var result = await _userService.ChangePasswordAsync(user, model.MasterPasswordHash,
                 model.NewMasterPasswordHash, model.Key);
             if(result.Succeeded)
@@ -120,6 +135,10 @@ namespace Bit.Api.Controllers
         public async Task PutKey([FromBody]UpdateKeyRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
 
             // NOTE: It is assumed that the eventual repository call will make sure the updated
             // ciphers belong to user making this call. Therefore, no check is done here.
@@ -154,6 +173,11 @@ namespace Bit.Api.Controllers
         public async Task PutSecurityStamp([FromBody]SecurityStampRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             var result = await _userService.RefreshSecurityStampAsync(user, model.MasterPasswordHash);
             if(result.Succeeded)
             {
@@ -173,6 +197,11 @@ namespace Bit.Api.Controllers
         public async Task<ProfileResponseModel> GetProfile()
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             var organizationUserDetails = await _organizationUserRepository.GetManyDetailsByUserAsync(user.Id,
                 OrganizationUserStatusType.Confirmed);
             var response = new ProfileResponseModel(user, organizationUserDetails);
@@ -194,6 +223,11 @@ namespace Bit.Api.Controllers
         public async Task<ProfileResponseModel> PutProfile([FromBody]UpdateProfileRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             await _userService.SaveUserAsync(model.ToUser(user));
             var response = new ProfileResponseModel(user, null);
             return response;
@@ -217,6 +251,11 @@ namespace Bit.Api.Controllers
         public async Task<TwoFactorResponseModel> GetTwoFactor(string masterPasswordHash, TwoFactorProviderType provider)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             if(!await _userManager.CheckPasswordAsync(user, masterPasswordHash))
             {
                 await Task.Delay(2000);
@@ -234,6 +273,11 @@ namespace Bit.Api.Controllers
         public async Task<TwoFactorResponseModel> PutTwoFactor([FromBody]UpdateTwoFactorRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
             {
                 await Task.Delay(2000);
@@ -271,6 +315,11 @@ namespace Bit.Api.Controllers
         public async Task<TwoFactorResponseModel> PutTwoFactorRegenerate([FromBody]RegenerateTwoFactorRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
             {
                 await Task.Delay(2000);
@@ -298,6 +347,11 @@ namespace Bit.Api.Controllers
         public async Task<KeysResponseModel> PutKeys([FromBody]KeysRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             await _userService.SaveUserAsync(model.ToUser(user));
             return new KeysResponseModel(user);
         }
@@ -306,6 +360,11 @@ namespace Bit.Api.Controllers
         public async Task<KeysResponseModel> GetKeys()
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             return new KeysResponseModel(user);
         }
 
@@ -313,6 +372,11 @@ namespace Bit.Api.Controllers
         public async Task PostDelete([FromBody]DeleteAccountRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
             {
                 ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
diff --git a/src/Api/Controllers/AuthController.cs b/src/Api/Controllers/AuthController.cs
index 9c4c34b0a5..cb1ac05a42 100644
--- a/src/Api/Controllers/AuthController.cs
+++ b/src/Api/Controllers/AuthController.cs
@@ -48,6 +48,11 @@ namespace Bit.Api.Controllers
         public async Task<AuthTokenResponseModel> PostTokenTwoFactor([FromBody]AuthTokenTwoFactorRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             var result = await _signInManager.TwoFactorSignInAsync(user, model.Provider, model.Code, model.Device?.ToDevice());
             if(result == JwtBearerSignInResult.Success)
             {
diff --git a/src/Api/Controllers/OrganizationUsersController.cs b/src/Api/Controllers/OrganizationUsersController.cs
index 75953836af..560c624806 100644
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@@ -115,6 +115,11 @@ namespace Bit.Api.Controllers
         public async Task Accept(string orgId, string id, [FromBody]OrganizationUserAcceptRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             var result = await _organizationService.AcceptUserAsync(new Guid(id), user, model.Token);
         }
 
diff --git a/src/Api/Controllers/OrganizationsController.cs b/src/Api/Controllers/OrganizationsController.cs
index 8d8c518842..72f849c311 100644
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@@ -95,6 +95,11 @@ namespace Bit.Api.Controllers
         public async Task<OrganizationResponseModel> Post([FromBody]OrganizationCreateRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             var organizationSignup = model.ToOrganizationSignup(user);
             var result = await _organizationService.SignUpAsync(organizationSignup);
             return new OrganizationResponseModel(result.Item1);
@@ -218,6 +223,11 @@ namespace Bit.Api.Controllers
             }
 
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             if(!await _userManager.CheckPasswordAsync(user, model.MasterPasswordHash))
             {
                 ModelState.AddModelError("MasterPasswordHash", "Invalid password.");
diff --git a/src/Api/Controllers/SettingsController.cs b/src/Api/Controllers/SettingsController.cs
index c4fe1e6390..d4887c25da 100644
--- a/src/Api/Controllers/SettingsController.cs
+++ b/src/Api/Controllers/SettingsController.cs
@@ -23,6 +23,11 @@ namespace Bit.Api.Controllers
         public async Task<DomainsResponseModel> GetDomains(bool excluded = true)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             var response = new DomainsResponseModel(user, excluded);
             return response;
         }
@@ -32,6 +37,11 @@ namespace Bit.Api.Controllers
         public async Task<DomainsResponseModel> PutDomains([FromBody]UpdateDomainsRequestModel model)
         {
             var user = await _userService.GetUserByPrincipalAsync(User);
+            if(user == null)
+            {
+                throw new UnauthorizedAccessException();
+            }
+
             await _userService.SaveUserAsync(model.ToUser(user));
 
             var response = new DomainsResponseModel(user);
diff --git a/src/Api/Utilities/ExceptionHandlerFilterAttribute.cs b/src/Api/Utilities/ExceptionHandlerFilterAttribute.cs
index e2b78b7d33..6a6ab15928 100644
--- a/src/Api/Utilities/ExceptionHandlerFilterAttribute.cs
+++ b/src/Api/Utilities/ExceptionHandlerFilterAttribute.cs
@@ -58,6 +58,11 @@ namespace Bit.Api.Utilities
                 errorModel.Message = "Invalid token.";
                 context.HttpContext.Response.StatusCode = 403;
             }
+            else if(exception is UnauthorizedAccessException)
+            {
+                errorModel.Message = "Unauthorized.";
+                context.HttpContext.Response.StatusCode = 401;
+            }
             else
             {
                 var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<ExceptionHandlerFilterAttribute>>();