diff --git a/src/app/api/v1/document-folders/[id]/route.ts b/src/app/api/v1/document-folders/[id]/route.ts
index 3b788822..e4cc3365 100644
--- a/src/app/api/v1/document-folders/[id]/route.ts
+++ b/src/app/api/v1/document-folders/[id]/route.ts
@@ -4,10 +4,7 @@ import { z } from 'zod';
 import { withAuth, withPermission } from '@/lib/api/helpers';
 import { parseBody } from '@/lib/api/route-helpers';
 import { errorResponse, NotFoundError } from '@/lib/errors';
-import {
-  renameFolderSchema,
-  moveFolderSchema,
-} from '@/lib/validators/document-folders';
+import { renameFolderSchema, moveFolderSchema } from '@/lib/validators/document-folders';
 import {
   renameFolder,
   moveFolder,
@@ -20,7 +17,11 @@ import {
  * (one operation per call) and prevents the rep from accidentally
  * doing two unrelated changes in one click.
  */
-const patchBodySchema = z.union([renameFolderSchema, moveFolderSchema]);
+// `.strict()` on each branch so a body with BOTH name and parentId is
+// rejected by both members and the union produces a 400 — without it,
+// z.union silently picks the first match and drops the other key,
+// which would let a rename request silently swallow a move attempt.
+const patchBodySchema = z.union([renameFolderSchema.strict(), moveFolderSchema.strict()]);
 
 export const PATCH = withAuth(
   withPermission('documents', 'manage_folders', async (req, ctx, params) => {