diff --git a/porch/controllers/remoterootsync/pkg/applyset/applyset.go b/porch/controllers/remoterootsync/pkg/applyset/applyset.go
index 7c733ee79c..c7b4e7892b 100644
--- a/porch/controllers/remoterootsync/pkg/applyset/applyset.go
+++ b/porch/controllers/remoterootsync/pkg/applyset/applyset.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"sync"
 
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -202,6 +203,13 @@ func (a *ApplySet) ApplyOnce(ctx context.Context) (*ApplyResults, error) {
 			continue
 		}
 
+		// Special case: errors are very cryptic with / in the name (we get a 404), and also avoid injection attacks
+		if strings.Contains(name, "/") {
+			err := fmt.Errorf("name %q is not valid", name)
+			results.applyError(gvk, nn, fmt.Errorf("error from apply: %w", err))
+			continue
+		}
+
 		applied, err := dynamicResource.Patch(ctx, name, types.ApplyPatchType, j, a.patchOptions)
 		if err != nil {
 			results.applyError(gvk, nn, fmt.Errorf("error from apply: %w", err))