diff --git a/services/repository/create.go b/services/repository/create.go
index be98e85aaf..e2d61bc0da 100644
--- a/services/repository/create.go
+++ b/services/repository/create.go
@@ -5,6 +5,7 @@ package repository
 
 import (
 	"bytes"
+	group_model "code.gitea.io/gitea/models/group"
 	"context"
 	"fmt"
 	"os"
@@ -234,6 +235,24 @@ func CreateRepositoryDirectly(ctx context.Context, doer, owner *user_model.User,
 	if opts.ObjectFormatName != git.Sha1ObjectFormat.Name() && opts.ObjectFormatName != git.Sha256ObjectFormat.Name() {
 		return nil, fmt.Errorf("unsupported object format: %s", opts.ObjectFormatName)
 	}
+	if opts.GroupID < 0 {
+		opts.GroupID = 0
+	}
+
+	// ensure that the parent group is owned by same user
+	if opts.GroupID > 0 {
+		newGroup, err := group_model.GetGroupByID(ctx, opts.GroupID)
+		if err != nil {
+			if group_model.IsErrGroupNotExist(err) {
+				opts.GroupID = 0
+			} else {
+				return nil, err
+			}
+		}
+		if newGroup.OwnerID != owner.ID {
+			return nil, fmt.Errorf("group[%d] is not owned by user[%d]", newGroup.ID, owner.ID)
+		}
+	}
 
 	repo := &repo_model.Repository{
 		OwnerID:                         owner.ID,