diff --git a/app/models/ticket.rb b/app/models/ticket.rb
index 01c8a502e..e7f1a1fca 100644
--- a/app/models/ticket.rb
+++ b/app/models/ticket.rb
@@ -244,6 +244,11 @@ returns
 
   def merge_to(data)
 
+    # prevent cross merging tickets
+    target_ticket = Ticket.find(data[:ticket_id])
+    raise 'no target ticket given' if !target_ticket
+    raise 'invalid state for target ticket' if target_ticket.state.name == 'merged'
+
     # update articles
     Transaction.execute do
 
@@ -296,7 +301,7 @@ returns
       save!
 
       # touch new ticket (to broadcast change)
-      Ticket.find(data[:ticket_id]).touch
+      target_ticket.touch
     end
     true
   end
diff --git a/spec/models/ticket_spec.rb b/spec/models/ticket_spec.rb
index 3ef97f67e..bd19972eb 100644
--- a/spec/models/ticket_spec.rb
+++ b/spec/models/ticket_spec.rb
@@ -32,6 +32,24 @@ RSpec.describe Ticket do
       expect(check_ticket_ids).to match_array(expected_ticket_ids)
     end
 
+    it 'prevents cross merging tickets' do
+      source_ticket     = create(:ticket)
+      target_ticket     = create(:ticket)
+
+      result = source_ticket.merge_to(
+        ticket_id: target_ticket.id,
+        user_id:   1,
+      )
+      expect(result).to be(true)
+
+      expect {
+        result = target_ticket.merge_to(
+          ticket_id: source_ticket.id,
+          user_id:   1,
+        )
+      }.to raise_error('invalid state for target ticket')
+    end
+
   end
 
   describe '.destroy' do