diff --git a/src/app/api/applications/bulk-status/route.test.ts b/src/app/api/applications/bulk-status/route.test.ts
new file mode 100644
index 00000000..cee8676b
--- /dev/null
+++ b/src/app/api/applications/bulk-status/route.test.ts
@@ -0,0 +1,36 @@
+import { describe, expect, it, vi, beforeEach } from "vitest";
+import { NextRequest } from "next/server";
+import { PUT } from "./route";
+
+const mockGetAuthContext = vi.fn();
+vi.mock("@/lib/auth/get-user", () => ({
+  getAuthContext: (...args: unknown[]) => mockGetAuthContext(...args),
+}));
+
+const mockFrom = vi.fn();
+
+function makeRequest(body: string) {
+  return new NextRequest("http://localhost/api/applications/bulk-status", {
+    method: "PUT",
+    headers: { "Content-Type": "application/json" },
+    body,
+  });
+}
+
+describe("PUT /api/applications/bulk-status", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockGetAuthContext.mockResolvedValue({
+      user: { id: "poster-1" },
+      supabase: { from: mockFrom },
+    });
+  });
+
+  it("returns 400 for malformed JSON without querying Supabase", async () => {
+    const res = await PUT(makeRequest("{"));
+
+    expect(res.status).toBe(400);
+    await expect(res.json()).resolves.toEqual({ error: "Invalid JSON body" });
+    expect(mockFrom).not.toHaveBeenCalled();
+  });
+});
diff --git a/src/app/api/applications/bulk-status/route.ts b/src/app/api/applications/bulk-status/route.ts
index 3ab9b469..cf9ba3b0 100644
--- a/src/app/api/applications/bulk-status/route.ts
+++ b/src/app/api/applications/bulk-status/route.ts
@@ -13,6 +13,16 @@ const bulkStatusSchema = z.object({
   ]),
 });
 
+async function parseJsonBody(request: NextRequest) {
+  try {
+    return { body: await request.json() };
+  } catch {
+    return {
+      response: NextResponse.json({ error: "Invalid JSON body" }, { status: 400 }),
+    };
+  }
+}
+
 // PUT /api/applications/bulk-status - Bulk update application statuses
 export async function PUT(request: NextRequest) {
   try {
@@ -22,7 +32,10 @@ export async function PUT(request: NextRequest) {
     }
     const { user, supabase } = auth;
 
-    const body = await request.json();
+    const parsed = await parseJsonBody(request);
+    if (parsed.response) return parsed.response;
+
+    const body = parsed.body;
     const validationResult = bulkStatusSchema.safeParse(body);
 
     if (!validationResult.success) {