diff --git a/CHANGELOG.md b/CHANGELOG.md
index cb1bb8b..db745de 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 - Updated installation instructions, default mitra config and recommended nginx config.
 - Limited the number of requests made during the processing of a thread.
+- Limited the number of media files that can be attached to a post.
 
 ### Removed
 
diff --git a/src/activitypub/handlers/create.rs b/src/activitypub/handlers/create.rs
index af2af92..d485533 100644
--- a/src/activitypub/handlers/create.rs
+++ b/src/activitypub/handlers/create.rs
@@ -29,7 +29,11 @@ use crate::models::posts::{
     mentions::mention_to_address,
     queries::create_post,
     types::{Post, PostCreateData, Visibility},
-    validators::{content_allowed_classes, CONTENT_MAX_SIZE},
+    validators::{
+        content_allowed_classes,
+        ATTACHMENTS_MAX_NUM,
+        CONTENT_MAX_SIZE,
+    },
 };
 use crate::models::profiles::queries::get_profile_by_acct;
 use crate::models::profiles::types::DbActorProfile;
@@ -48,8 +52,6 @@ fn get_note_author_id(object: &Object) -> Result<String, ValidationError> {
     Ok(author_id)
 }
 
-const ATTACHMENTS_MAX_NUM: usize = 15;
-
 fn parse_object_url(value: &JsonValue) -> Result<String, ConversionError> {
     let object_url = match value {
         JsonValue::String(string) => string.to_owned(),
diff --git a/src/mastodon_api/statuses/views.rs b/src/mastodon_api/statuses/views.rs
index c3664bb..156306b 100644
--- a/src/mastodon_api/statuses/views.rs
+++ b/src/mastodon_api/statuses/views.rs
@@ -31,7 +31,7 @@ use crate::models::posts::queries::{
     delete_post,
 };
 use crate::models::posts::types::{PostCreateData, Visibility};
-use crate::models::posts::validators::clean_content;
+use crate::models::posts::validators::{clean_content, ATTACHMENTS_MAX_NUM};
 use crate::models::reactions::queries::{
     create_reaction,
     delete_reaction,
@@ -139,6 +139,11 @@ async fn create_status(
     } else {
         None
     };
+    // Validate attachments
+    let attachments = status_data.media_ids.unwrap_or(vec![]);
+    if attachments.len() > ATTACHMENTS_MAX_NUM {
+        return Err(ValidationError("too many attachments").into());
+    };
 
     // Create post
     let post_data = PostCreateData {
@@ -146,7 +151,7 @@ async fn create_status(
         in_reply_to_id: status_data.in_reply_to_id,
         repost_of_id: None,
         visibility: visibility,
-        attachments: status_data.media_ids.unwrap_or(vec![]),
+        attachments: attachments,
         mentions: mentions,
         tags: tags,
         links: links,
diff --git a/src/models/posts/validators.rs b/src/models/posts/validators.rs
index 4d8ed89..a7c0df1 100644
--- a/src/models/posts/validators.rs
+++ b/src/models/posts/validators.rs
@@ -1,6 +1,7 @@
 use crate::errors::ValidationError;
 use crate::utils::html::clean_html_strict;
 
+pub const ATTACHMENTS_MAX_NUM: usize = 15;
 pub const CONTENT_MAX_SIZE: usize = 100000;
 const CONTENT_ALLOWED_TAGS: [&str; 8] = [
     "a",