diff --git a/src/api/app/models/relationship.rb b/src/api/app/models/relationship.rb
index f625aaaa8d3..9e7d63d2e6c 100644
--- a/src/api/app/models/relationship.rb
+++ b/src/api/app/models/relationship.rb
@@ -36,6 +36,8 @@ class Relationship < ApplicationRecord
     message: 'User and group can not exist at the same time'
   }, if: proc { |relationship| relationship.group.present? }
 
+  validate :allowed_user
+
   # don't use "is not null" - it won't be in index
   scope :projects, -> { where.not(project_id: nil) }
   scope :packages, -> { where.not(package_id: nil) }
@@ -126,6 +128,13 @@ def check_global_role
     errors.add(:base,
                "global role #{role.title} is not allowed.")
   end
+
+  # NOTE: Adding a normal validation, the error doesn't reach the view due to
+  # Relationship::AddRole#add_role handling.
+  # We could also check other banned users, not only nobody.
+  def allowed_user
+    raise NotFoundError, "Couldn't find user #{user.login}" if user && user.is_nobody?
+  end
 end
 
 # == Schema Information
diff --git a/src/api/spec/models/relationship_spec.rb b/src/api/spec/models/relationship_spec.rb
index 20b7bdf36b7..aa45f2c93c4 100644
--- a/src/api/spec/models/relationship_spec.rb
+++ b/src/api/spec/models/relationship_spec.rb
@@ -43,6 +43,14 @@
       skip('This is imposible to happen with the actual validations and how the object is created')
     end
 
+    context 'with banned user' do
+      let(:nobody) { create(:user_nobody) }
+
+      subject { Relationship.add_user(project, nobody, role, true, true) }
+
+      it { expect { subject }.to raise_error(NotFoundError, "Couldn't find user #{nobody.login}") }
+    end
+
     context 'with valid data' do
       before do
         subject