diff --git a/app/template_folder/rest.py b/app/template_folder/rest.py
index e4b2779d5..2499ea933 100644
--- a/app/template_folder/rest.py
+++ b/app/template_folder/rest.py
@@ -1,5 +1,6 @@
 from flask import Blueprint, jsonify, request
 from sqlalchemy.exc import IntegrityError
+from sqlalchemy.orm.exc import NoResultFound
 
 from app.dao.template_folder_dao import (
     dao_create_template_folder,
@@ -8,7 +9,7 @@ from app.dao.template_folder_dao import (
     dao_delete_template_folder
 )
 from app.dao.services_dao import dao_fetch_service_by_id
-from app.errors import register_errors
+from app.errors import InvalidRequest, register_errors
 from app.models import TemplateFolder
 from app.template_folder.template_folder_schema import (
     post_create_template_folder_schema,
@@ -46,6 +47,15 @@ def create_template_folder(service_id):
 
     validate(data, post_create_template_folder_schema)
 
+    if data.get('parent_id') is not None:
+        try:
+            parent_folder = dao_get_template_folder_by_id(data['parent_id'])
+        except NoResultFound:
+            raise InvalidRequest("parent_id not found", status_code=400)
+
+        if parent_folder.service_id != service_id:
+            raise InvalidRequest("parent_id belongs to a different service", status_code=400)
+
     template_folder = TemplateFolder(
         service_id=service_id,
         name=data['name'].strip(),
diff --git a/tests/app/template_folder/test_template_folder_rest.py b/tests/app/template_folder/test_template_folder_rest.py
index 726b7d135..b3dcaf431 100644
--- a/tests/app/template_folder/test_template_folder_rest.py
+++ b/tests/app/template_folder/test_template_folder_rest.py
@@ -74,9 +74,6 @@ def test_create_template_folder_fails_if_missing_fields(admin_request, sample_se
 
 
 def test_create_template_folder_fails_if_unknown_parent_id(admin_request, sample_service):
-    # create existing folder
-    create_template_folder(sample_service)
-
     resp = admin_request.post(
         'template_folder.create_template_folder',
         service_id=sample_service.id,
@@ -88,6 +85,21 @@ def test_create_template_folder_fails_if_unknown_parent_id(admin_request, sample
     assert resp['message'] == 'parent_id not found'
 
 
+def test_create_template_folder_fails_if_parent_id_from_different_service(admin_request, sample_service):
+    s1 = create_service(service_name='a')
+    parent_folder_id = create_template_folder(s1).id
+
+    resp = admin_request.post(
+        'template_folder.create_template_folder',
+        service_id=sample_service.id,
+        _data={'name': 'bar', 'parent_id': str(parent_folder_id)},
+        _expected_status=400
+    )
+
+    assert resp['result'] == 'error'
+    assert resp['message'] == 'parent_id belongs to a different service'
+
+
 def test_rename_template_folder(admin_request, sample_service):
     existing_folder = create_template_folder(sample_service)