diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py
index d0e771e228b..925c6d42c19 100644
--- a/nova/api/openstack/compute/servers.py
+++ b/nova/api/openstack/compute/servers.py
@@ -636,8 +636,11 @@ def create(self, req, body):
 
         # If the image href was generated by nova api, strip image_href
         # down to an id and use the default glance connection params
-        if str(image_href).startswith(req.application_url):
-            image_href = image_href.split('/').pop()
+        image_href = image_href.split('/').pop()
+
+        if not utils.is_uuid_like(str(image_href)):
+            msg = _("Invalid imageRef provided.")
+            raise exc.HTTPBadRequest(explanation=msg)
 
         personality = server_dict.get('personality')
         config_drive = server_dict.get('config_drive')
diff --git a/nova/tests/api/openstack/compute/test_servers.py b/nova/tests/api/openstack/compute/test_servers.py
index c6c7fcc43c3..c8aa876c603 100644
--- a/nova/tests/api/openstack/compute/test_servers.py
+++ b/nova/tests/api/openstack/compute/test_servers.py
@@ -1637,6 +1637,46 @@ def test_create_instance_with_admin_supplied_reservation_id(self):
         reservation_id = res['reservation_id']
         self.assertEqual(reservation_id, "myresid")
 
+    def test_create_instance_image_ref_is_bookmark(self):
+        image_uuid = '76fa36fc-c930-4bf3-8c8a-ea2a2420deb6'
+        image_href = 'http://localhost/fake/images/%s' % image_uuid
+        flavor_ref = 'http://localhost/fake/flavors/3'
+        body = {
+            'server': {
+                'name': 'server_test',
+                'imageRef': image_href,
+                'flavorRef': flavor_ref,
+            },
+        }
+
+        req = fakes.HTTPRequest.blank('/v2/fake/servers')
+        req.method = 'POST'
+        req.body = json.dumps(body)
+        req.headers["content-type"] = "application/json"
+        res = self.controller.create(req, body).obj
+
+        server = res['server']
+        self.assertEqual(FAKE_UUID, server['id'])
+
+    def test_create_instance_image_ref_is_invalid(self):
+        image_uuid = 'this_is_not_a_valid_uuid'
+        image_href = 'http://localhost/fake/images/%s' % image_uuid
+        flavor_ref = 'http://localhost/fake/flavors/3'
+        body = {
+            'server': {
+                'name': 'server_test',
+                'imageRef': image_href,
+                'flavorRef': flavor_ref,
+            },
+        }
+
+        req = fakes.HTTPRequest.blank('/v2/fake/servers')
+        req.method = 'POST'
+        req.body = json.dumps(body)
+        req.headers["content-type"] = "application/json"
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
+                          req, body)
+
     def test_create_instance_no_key_pair(self):
         fakes.stub_out_key_pair_funcs(self.stubs, have_key_pair=False)
         self._test_create_instance()