diff --git a/.semgrep/http_endpoint.yml b/.semgrep/http_endpoint.yml
new file mode 100644
index 00000000000..007798613ba
--- /dev/null
+++ b/.semgrep/http_endpoint.yml
@@ -0,0 +1,22 @@
+rules:
+  - id: "http-endpoint-request-decode-error-code"
+    patterns:
+      - pattern: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(...)
+          }
+      - pattern-not-inside: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(400, ...)
+          }
+      - pattern-not-inside: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(http.StatusBadRequest, ...)
+          }
+    message: "HTTP endpoint request decode should return http.StatusBadRequest"
+    languages:
+      - "go"
+    severity: "ERROR"
+    paths:
+      include:
+        - "command/agent/*_endpoint.go"
diff --git a/command/agent/acl_endpoint.go b/command/agent/acl_endpoint.go
index 9eb71121a15..9cb171b884f 100644
--- a/command/agent/acl_endpoint.go
+++ b/command/agent/acl_endpoint.go
@@ -477,7 +477,7 @@ func (s *HTTPServer) aclRoleUpsertRequest(
 	// Decode the ACL role.
 	var aclRole structs.ACLRole
 	if err := decodeBody(req, &aclRole); err != nil {
-		return nil, CodedError(http.StatusInternalServerError, err.Error())
+		return nil, CodedError(http.StatusBadRequest, err.Error())
 	}
 
 	// Ensure the request path ID matches the ACL role ID that was decoded.