diff --git a/openspec/changes/code-review-fix/tasks.md b/openspec/changes/code-review-fix/tasks.md
index 86644a9..831c268 100644
--- a/openspec/changes/code-review-fix/tasks.md
+++ b/openspec/changes/code-review-fix/tasks.md
@@ -30,7 +30,7 @@
 - [x] 4.2 `[sonnet]` Add Zod schema validation to `src/app/api/predict/batch/route.ts` (validate pair, timeframe, start_date, end_date)
 - [x] 4.3 `[sonnet]` Add Zod schema validation to `src/app/api/model/load/route.ts` (validate run_id)
 - [x] 4.4 `[sonnet]` Add Zod schema validation to `src/app/api/training/start/route.ts` (validate model_type)
-- [ ] 4.5 `[sonnet]` Add Zod schema validation to `src/app/api/patterns/detect/route.ts` (validate candles, patterns array)
+- [x] 4.5 `[sonnet]` Add Zod schema validation to `src/app/api/patterns/detect/route.ts` (validate candles, patterns array)
 - [ ] 4.6 `[sonnet]` Replace `error.message` with generic `"Internal server error"` in all catch blocks across 7+ route files: `health/route.ts`, `candles/route.ts`, `annotations/route.ts`, `annotations/[id]/route.ts`, `upload/route.ts`, `export/route.ts`, `span-annotations/export/route.ts`
 - [ ] 4.7 `[sonnet]` Require `chartId` for bulk delete in `src/app/api/annotations/route.ts` — reject `?all=true` without chartId with HTTP 400
 - [ ] 4.8 `[sonnet]` Wrap chart cascade delete in `db.transaction()` and add `spanAnnotations` deletion in `src/app/api/charts/[id]/route.ts`
diff --git a/src/app/api/patterns/detect/route.ts b/src/app/api/patterns/detect/route.ts
index 5d9a929..cd4f5aa 100644
--- a/src/app/api/patterns/detect/route.ts
+++ b/src/app/api/patterns/detect/route.ts
@@ -1,9 +1,24 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
 
 const INFERENCE_API_URL = process.env.INFERENCE_API_URL || 'http://localhost:8001';
 // Pattern detection may take longer on large datasets
 const INFERENCE_API_TIMEOUT = parseInt(process.env.INFERENCE_API_TIMEOUT || '60000', 10);
 
+const CandleSchema = z.object({
+  time: z.number(),
+  open: z.number(),
+  high: z.number(),
+  low: z.number(),
+  close: z.number(),
+  volume: z.number().optional(),
+});
+
+const PatternDetectRequestSchema = z.object({
+  candles: z.array(CandleSchema),
+  patterns: z.array(z.string().min(1)),
+});
+
 export async function POST(request: NextRequest) {
   const controller = new AbortController();
   const timeoutId = setTimeout(() => controller.abort(), INFERENCE_API_TIMEOUT);
@@ -11,10 +26,21 @@ export async function POST(request: NextRequest) {
   try {
     const body = await request.json();
 
+    const result = PatternDetectRequestSchema.safeParse(body);
+    if (!result.success) {
+      clearTimeout(timeoutId);
+      return NextResponse.json(
+        { error: 'Invalid request', details: result.error.flatten() },
+        { status: 400 }
+      );
+    }
+
+    const validatedBody = result.data;
+
     const response = await fetch(`${INFERENCE_API_URL}/patterns/detect`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json', 'X-API-Key': process.env.API_KEY || '' },
-      body: JSON.stringify(body),
+      body: JSON.stringify(validatedBody),
       signal: controller.signal,
     });
     clearTimeout(timeoutId);