diff --git a/lib/Controller/InternalAddressController.php b/lib/Controller/InternalAddressController.php
index 47efb8946c..740fcbf08d 100644
--- a/lib/Controller/InternalAddressController.php
+++ b/lib/Controller/InternalAddressController.php
@@ -41,6 +41,10 @@ public function __construct(
 	 */
 	#[TrapError]
 	public function setAddress(string $address, string $type): JsonResponse {
+		if ($this->uid === null) {
+			return JsonResponse::error('User not found', Http::STATUS_UNAUTHORIZED);
+		}
+
 		$address = $this->internalAddressService->add(
 			$this->uid,
 			$address,
diff --git a/lib/Controller/ListController.php b/lib/Controller/ListController.php
index cf3c72f903..f91263b827 100644
--- a/lib/Controller/ListController.php
+++ b/lib/Controller/ListController.php
@@ -54,6 +54,10 @@ public function __construct(IRequest $request,
 	 * @UserRateThrottle(limit=10, period=3600)
 	 */
 	public function unsubscribe(int $id): JsonResponse {
+		if ($this->currentUserId === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		try {
 			$message = $this->mailManager->getMessage($this->currentUserId, $id);
 			$mailbox = $this->mailManager->getMailbox($this->currentUserId, $message->getMailboxId());
diff --git a/lib/Controller/SmimeCertificatesController.php b/lib/Controller/SmimeCertificatesController.php
index f1f017d205..78618b46ab 100644
--- a/lib/Controller/SmimeCertificatesController.php
+++ b/lib/Controller/SmimeCertificatesController.php
@@ -44,6 +44,10 @@ public function __construct(string $appName,
 	 */
 	#[TrapError]
 	public function index(): JsonResponse {
+		if ($this->userId === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$certificates = $this->certificateService->findAllCertificates($this->userId);
 		$certificates = array_map(fn (SmimeCertificate $certificate) => $this->certificateService->enrichCertificate($certificate), $certificates);
 		return JsonResponse::success($certificates);
@@ -59,6 +63,10 @@ public function index(): JsonResponse {
 	 */
 	#[TrapError]
 	public function destroy(int $id): JsonResponse {
+		if ($this->userId === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$this->certificateService->deleteCertificate($id, $this->userId);
 		return JsonResponse::success();
 	}
@@ -73,6 +81,10 @@ public function destroy(int $id): JsonResponse {
 	 */
 	#[TrapError]
 	public function create(): JsonResponse {
+		if ($this->userId === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		// TODO: What about PKCS12 certificates?
 		// They need to be decrypted by the client because they are protected by a password.
 		// We could use
diff --git a/lib/Controller/TrustedSendersController.php b/lib/Controller/TrustedSendersController.php
index 187d3e2410..047a66d9b7 100644
--- a/lib/Controller/TrustedSendersController.php
+++ b/lib/Controller/TrustedSendersController.php
@@ -41,6 +41,10 @@ public function __construct(IRequest $request,
 	 */
 	#[TrapError]
 	public function setTrusted(string $email, string $type): JsonResponse {
+		if ($this->uid === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$this->trustedSenderService->trust(
 			$this->uid,
 			$email,
@@ -59,6 +63,10 @@ public function setTrusted(string $email, string $type): JsonResponse {
 	 */
 	#[TrapError]
 	public function removeTrust(string $email, string $type): JsonResponse {
+		if ($this->uid === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$this->trustedSenderService->trust(
 			$this->uid,
 			$email,
@@ -75,6 +83,10 @@ public function removeTrust(string $email, string $type): JsonResponse {
 	 */
 	#[TrapError]
 	public function list(): JsonResponse {
+		if ($this->uid === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$list = $this->trustedSenderService->getTrusted(
 			$this->uid
 		);
diff --git a/tests/Unit/Controller/InternalAddressControllerTest.php b/tests/Unit/Controller/InternalAddressControllerTest.php
new file mode 100644
index 0000000000..fafdb3b0f7
--- /dev/null
+++ b/tests/Unit/Controller/InternalAddressControllerTest.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Controller;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Controller\InternalAddressController;
+use OCP\AppFramework\Http;
+
+class InternalAddressControllerTest extends TestCase {
+	public function testSetAddressNullUser(): void {
+		$serviceMock = $this->createServiceMock(InternalAddressController::class, [
+			'userId' => null,
+		]);
+
+		$response = $serviceMock->getService()->setAddress('test@example.com', 'individual');
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+}
diff --git a/tests/Unit/Controller/ListControllerTest.php b/tests/Unit/Controller/ListControllerTest.php
index 463680a972..259ded1d51 100644
--- a/tests/Unit/Controller/ListControllerTest.php
+++ b/tests/Unit/Controller/ListControllerTest.php
@@ -37,6 +37,17 @@ protected function setUp(): void {
 		$this->controller = $this->serviceMock->getService();
 	}
 
+	public function testUnsubscribeNullUser(): void {
+		$serviceMock = $this->createServiceMock(ListController::class, [
+			'userId' => null,
+		]);
+		$controller = $serviceMock->getService();
+
+		$response = $controller->unsubscribe(123);
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
 	public function testMessageNotFound(): void {
 		$this->serviceMock->getParameter('mailManager')
 			->expects(self::once())
diff --git a/tests/Unit/Controller/SmimeCertificatesControllerTest.php b/tests/Unit/Controller/SmimeCertificatesControllerTest.php
new file mode 100644
index 0000000000..1504079ecc
--- /dev/null
+++ b/tests/Unit/Controller/SmimeCertificatesControllerTest.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Controller;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Controller\SmimeCertificatesController;
+use OCP\AppFramework\Http;
+
+class SmimeCertificatesControllerTest extends TestCase {
+	public function testIndexNullUser(): void {
+		$serviceMock = $this->createServiceMock(SmimeCertificatesController::class, [
+			'appName' => 'mail',
+			'userId' => null,
+		]);
+
+		$response = $serviceMock->getService()->index();
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
+	public function testDestroyNullUser(): void {
+		$serviceMock = $this->createServiceMock(SmimeCertificatesController::class, [
+			'appName' => 'mail',
+			'userId' => null,
+		]);
+
+		$response = $serviceMock->getService()->destroy(1);
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
+	public function testCreateNullUser(): void {
+		$serviceMock = $this->createServiceMock(SmimeCertificatesController::class, [
+			'appName' => 'mail',
+			'userId' => null,
+		]);
+
+		$response = $serviceMock->getService()->create();
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+}
diff --git a/tests/Unit/Controller/TrustedSendersControllerTest.php b/tests/Unit/Controller/TrustedSendersControllerTest.php
new file mode 100644
index 0000000000..6a51f2debc
--- /dev/null
+++ b/tests/Unit/Controller/TrustedSendersControllerTest.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Controller;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Controller\TrustedSendersController;
+use OCP\AppFramework\Http;
+
+class TrustedSendersControllerTest extends TestCase {
+	public function testSetTrustedNullUser(): void {
+		$serviceMock = $this->createServiceMock(TrustedSendersController::class, [
+			'UserId' => null,
+		]);
+
+		$response = $serviceMock->getService()->setTrusted('sender@example.com', 'individual');
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
+	public function testRemoveTrustNullUser(): void {
+		$serviceMock = $this->createServiceMock(TrustedSendersController::class, [
+			'UserId' => null,
+		]);
+
+		$response = $serviceMock->getService()->removeTrust('sender@example.com', 'individual');
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
+	public function testListNullUser(): void {
+		$serviceMock = $this->createServiceMock(TrustedSendersController::class, [
+			'UserId' => null,
+		]);
+
+		$response = $serviceMock->getService()->list();
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+}
diff --git a/vendor-bin/phpunit/composer.json b/vendor-bin/phpunit/composer.json
index 936f211c08..6aef09d308 100644
--- a/vendor-bin/phpunit/composer.json
+++ b/vendor-bin/phpunit/composer.json
@@ -5,7 +5,7 @@
 		},
 		"sort-packages": true
 	},
-    "require-dev": {
-        "christophwurst/nextcloud_testing": "^1.1.0"
-    }
+	"require-dev": {
+		"christophwurst/nextcloud_testing": "^1.1.1"
+	}
 }
diff --git a/vendor-bin/phpunit/composer.lock b/vendor-bin/phpunit/composer.lock
index 97635e3fb8..68126f3dce 100644
--- a/vendor-bin/phpunit/composer.lock
+++ b/vendor-bin/phpunit/composer.lock
@@ -4,21 +4,21 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "be292b2d3c07ab4d670217b32dedbb81",
+    "content-hash": "c6a2e01254383be37831691ebceed7a7",
     "packages": [],
     "packages-dev": [
         {
             "name": "christophwurst/nextcloud_testing",
-            "version": "v1.1.0",
+            "version": "v1.1.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/ChristophWurst/nextcloud_testing.git",
-                "reference": "3bca2106eb406effc713162f0dc9e71fc735a8b3"
+                "reference": "152df875b0533e720fc20a77a33fecbd9d408588"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/ChristophWurst/nextcloud_testing/zipball/3bca2106eb406effc713162f0dc9e71fc735a8b3",
-                "reference": "3bca2106eb406effc713162f0dc9e71fc735a8b3",
+                "url": "https://api.github.com/repos/ChristophWurst/nextcloud_testing/zipball/152df875b0533e720fc20a77a33fecbd9d408588",
+                "reference": "152df875b0533e720fc20a77a33fecbd9d408588",
                 "shasum": ""
             },
             "require": {
@@ -45,9 +45,9 @@
             "description": "Simple and fast unit and integration testing framework for Nextcloud, based on PHPUnit",
             "support": {
                 "issues": "https://github.com/ChristophWurst/nextcloud_testing/issues",
-                "source": "https://github.com/ChristophWurst/nextcloud_testing/tree/v1.1.0"
+                "source": "https://github.com/ChristophWurst/nextcloud_testing/tree/v1.1.1"
             },
-            "time": "2025-12-10T13:23:32+00:00"
+            "time": "2026-02-17T08:39:26+00:00"
         },
         {
             "name": "doctrine/instantiator",