diff --git a/changelog/16112.txt b/changelog/16112.txt
new file mode 100644
index 000000000..3b61c6b89
--- /dev/null
+++ b/changelog/16112.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/auth: Return a 403 instead of a 500 for a malformed SSCT
+```
diff --git a/vault/request_handling.go b/vault/request_handling.go
index dbbe5b21c..b40bde28e 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -582,13 +582,16 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request
 			if token == nil {
 				return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied
 			}
-			// We don't care if the token is an server side consistent token or not. Either way, we're going
+			// We don't care if the token is a server side consistent token or not. Either way, we're going
 			// to be returning it for these paths instead of the short token stored in vault.
 			requestBodyToken = token.(string)
 			if IsSSCToken(token.(string)) {
 				token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby)
+
+				// If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client
+				// should receive a 403 bad token error like they do for all other invalid tokens.
 				if err != nil {
-					return nil, fmt.Errorf("server side consistent token check failed: %w", err)
+					return logical.ErrorResponse("bad token"), logical.ErrPermissionDenied
 				}
 				req.Data["token"] = token
 			}