diff --git a/core/modules/file/file.module b/core/modules/file/file.module
index d220cabc57..f4d70293c2 100644
--- a/core/modules/file/file.module
+++ b/core/modules/file/file.module
@@ -992,15 +992,17 @@ function _file_save_upload_single(\SplFileInfo $file_info, $form_field_name, $va
   // filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'
   // evaluates to TRUE.
   if (!\Drupal::config('system.file')->get('allow_insecure_uploads') && preg_match(FILE_INSECURE_EXTENSION_REGEX, $file->getFilename()) && (substr($file->getFilename(), -4) != '.txt')) {
-    $file->setMimeType('text/plain');
-    // The destination filename will also later be used to create the URI.
-    $file->setFilename($file->getFilename() . '.txt');
-    // The .txt extension may not be in the allowed list of extensions. We have
-    // to add it here or else the file upload will fail.
-    if (!empty($extensions)) {
-      $validators['file_validate_extensions'][0] .= ' txt';
+    // Rename the file if possible otherwise we have to fail.
+    if ($extensions === '' || preg_match('/(^|\s)txt(\s|$)/', $extensions)) {
+      $file->setMimeType('text/plain');
+      // The destination filename will also later be used to create the URI.
+      $file->setFilename($file->getFilename() . '.txt');
       \Drupal::messenger()->addStatus(t('For security reasons, your upload has been renamed to %filename.', ['%filename' => $file->getFilename()]));
     }
+    else {
+      \Drupal::messenger()->addError(t('The file %filename could not be uploaded because the extension is insecure.', ['%filename' => $file->getFilename()]));
+      return FALSE;
+    }
   }
 
   // If the destination is not provided, use the temporary directory.
diff --git a/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php b/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php
index 44600369df..66b43066c7 100644
--- a/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php
+++ b/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php
@@ -471,13 +471,13 @@ protected function prepareFilename($filename, array &$validators) {
     // filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'
     // evaluates to TRUE.
     if (!$this->systemFileConfig->get('allow_insecure_uploads') && preg_match(FILE_INSECURE_EXTENSION_REGEX, $filename) && (substr($filename, -4) != '.txt')) {
-      // The destination filename will also later be used to create the URI.
-      $filename .= '.txt';
-
-      // The .txt extension may not be in the allowed list of extensions. We
-      // have to add it here or else the file upload will fail.
-      if (!empty($validators['file_validate_extensions'][0])) {
-        $validators['file_validate_extensions'][0] .= ' txt';
+      // Rename the file if possible otherwise we have to fail.
+      if (empty($validators['file_validate_extensions'][0]) || preg_match('/(^|\s)txt(\s|$)/', $validators['file_validate_extensions'][0])) {
+        // The destination filename will also later be used to create the URI.
+        $filename .= '.txt';
+      }
+      else {
+        throw new UnprocessableEntityHttpException(sprintf("Unprocessable Entity: The file %s could not be uploaded because the extension is insecure.", $filename));
       }
     }
 
diff --git a/core/modules/file/tests/src/Functional/SaveUploadTest.php b/core/modules/file/tests/src/Functional/SaveUploadTest.php
index 552cfc628e..3f7ba1b31d 100644
--- a/core/modules/file/tests/src/Functional/SaveUploadTest.php
+++ b/core/modules/file/tests/src/Functional/SaveUploadTest.php
@@ -199,7 +199,7 @@ public function testHandleDangerousFile() {
       'file_test_replace' => FILE_EXISTS_REPLACE,
       'files[file_test_upload]' => \Drupal::service('file_system')->realpath($this->phpfile->uri),
       'is_image_file' => FALSE,
-      'extensions' => 'php',
+      'extensions' => 'php txt',
     ];
 
     $this->drupalPostForm('file-test/upload', $edit, t('Submit'));
@@ -229,6 +229,24 @@ public function testHandleDangerousFile() {
 
     // Turn off insecure uploads.
     $config->set('allow_insecure_uploads', 0)->save();
+
+    // Reset the hook counters.
+    file_test_reset();
+
+    $edit = [
+      'file_test_replace' => FILE_EXISTS_REPLACE,
+      'files[file_test_upload]' => \Drupal::service('file_system')->realpath($this->phpfile->uri),
+      'is_image_file' => FALSE,
+      'extensions' => 'php',
+    ];
+
+    $this->drupalPostForm('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $this->assertSession()->pageTextContains('The file php-2.php could not be uploaded because the extension is insecure.');
+    $this->assertSession()->pageTextContains('Epic upload FAIL!');
+
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled([]);
   }
 
   /**
diff --git a/core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php b/core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php
index cb3ef3e27a..3415a81327 100644
--- a/core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php
@@ -480,9 +480,9 @@ public function testFileUploadMaliciousExtension() {
     $this->assertTrue(file_exists('public://foobar/example.php.txt'));
 
     // Add php as an allowed format. Allow insecure uploads still being FALSE
-    // should still not allow this. So it should still have a .txt extension
-    // appended even though it is not in the list of allowed extensions.
-    $this->field->setSetting('file_extensions', 'php')
+    // should still not allow this. So it should be renamed to have .txt
+    // extension.
+    $this->field->setSetting('file_extensions', 'php txt')
       ->save();
     $this->refreshTestStateAfterRestConfigChange();
 
@@ -494,6 +494,19 @@ public function testFileUploadMaliciousExtension() {
     $this->assertTrue(file_exists('public://foobar/example_2.php.txt'));
     $this->assertFalse(file_exists('public://foobar/example_2.php'));
 
+    // Add php as an allowed format without txt. Allow insecure uploads still
+    // being FALSE should not allow this.
+    $this->field->setSetting('file_extensions', 'php')
+      ->save();
+    $this->refreshTestStateAfterRestConfigChange();
+
+    $response = $this->fileRequest($uri, $php_string, ['Content-Disposition' => 'filename="example_5.php"']);
+    $this->assertResourceErrorResponse(422, "Unprocessable Entity: The file example_5.php could not be uploaded because the extension is insecure.", $response);
+
+    // Make sure that no file was saved.
+    $this->assertFalse(file_exists('public://foobar/example_5.php'));
+    $this->assertFalse(file_exists('public://foobar/example_5.php.txt'));
+
     // Allow .doc file uploads and ensure even a mis-configured apache will not
     // fallback to php because the filename will be munged.
     $this->field->setSetting('file_extensions', 'doc')->save();