diff --git a/CHANGELOG b/CHANGELOG
index 5785aaa13bb..668e12ae258 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -44,6 +44,7 @@ v 8.5.0 (unreleased)
   - Fix: init.d script not working on OS X
   - Faster snippet search
   - Title for milestones should be unique (Zeger-Jan van de Weg)
+  - Validate correctness of maximum attachment size application setting
 
 v 8.4.4
   - Update omniauth-saml gem to 1.4.2
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 44bbe5fb168..fa48fe5b9e4 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -93,6 +93,10 @@ class ApplicationSetting < ActiveRecord::Base
             presence: true,
             if: :akismet_enabled
 
+  validates :max_attachment_size,
+            presence: true,
+            numericality: { only_integer: true, greater_than: 0 }
+
   validates_each :restricted_visibility_levels do |record, attr, value|
     unless value.nil?
       value.each do |level|
diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb
index f4c58882757..161a32c51e6 100644
--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -66,6 +66,14 @@ describe ApplicationSetting, models: true do
     it { is_expected.to allow_value(http).for(:after_sign_out_path) }
     it { is_expected.to allow_value(https).for(:after_sign_out_path) }
     it { is_expected.not_to allow_value(ftp).for(:after_sign_out_path) }
+
+    it { is_expected.to validate_presence_of(:max_attachment_size) }
+
+    it do
+      is_expected.to validate_numericality_of(:max_attachment_size)
+        .only_integer
+        .is_greater_than(0)
+    end
   end
 
   context 'restricted signup domains' do