diff --git a/CHANGELOG.md b/CHANGELOG.md
index f647ab33..d22dfae6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@
 * adds Google UA support
 * extends selectable icon sizes (adds 128px, 192px, 256px, 384px)
 * improves preview GUI
+* disable thumbs in `cache` folder
 * fixes QR code URI origin (issue [#287](https://github.com/lrsjng/h5ai/issues/287))
 * removes server side file manipulation extensions `dropbox`, `delete` and `rename`
 * updates H5BP to 4.3.0
diff --git a/src/_h5ai/server/php/inc/class-thumb.php b/src/_h5ai/server/php/inc/class-thumb.php
index 8ac0b390..308707f4 100644
--- a/src/_h5ai/server/php/inc/class-thumb.php
+++ b/src/_h5ai/server/php/inc/class-thumb.php
@@ -22,6 +22,9 @@ class Thumb {
 	public function thumb($type, $source_url, $mode, $width, $height) {
 
 		$source_path = $this->app->to_path($source_url);
+		if (!file_exists($source_path) || starts_with($source_path, CACHE_PATH)) {
+			return null;
+		}
 
 		if ($type === "img") {
 			$capture_path = $source_path;