diff --git a/src/network/mcpe/handler/LoginPacketHandler.php b/src/network/mcpe/handler/LoginPacketHandler.php
index a8c3d4d62..e738323e4 100644
--- a/src/network/mcpe/handler/LoginPacketHandler.php
+++ b/src/network/mcpe/handler/LoginPacketHandler.php
@@ -95,7 +95,7 @@ class LoginPacketHandler extends PacketHandler{
 		}else{
 			$playerInfo = new PlayerInfo(
 				$extraData->displayName,
-				$uuid,
+				null, //we can't trust UUIDs of non-XBL players - replace this with a server-generated UUID
 				$skin,
 				$clientData->LanguageCode,
 				(array) $clientData
diff --git a/src/player/PlayerInfo.php b/src/player/PlayerInfo.php
index 966993435..82736f0f8 100644
--- a/src/player/PlayerInfo.php
+++ b/src/player/PlayerInfo.php
@@ -25,24 +25,42 @@ namespace pocketmine\player;
 
 use pocketmine\entity\Skin;
 use pocketmine\utils\TextFormat;
+use Ramsey\Uuid\Uuid;
 use Ramsey\Uuid\UuidInterface;
 
 /**
  * Encapsulates data needed to create a player.
  */
 class PlayerInfo{
+	/**
+	 * Namespace for server-generated UUIDs for unauthenticated (non-XBL) players.
+	 * This must not be changed.
+	 */
+	private const UNAUTHENTICATED_PLAYER_UUID_NS = '6a6424c0-a26f-43b7-8e72-4176d051748d';
+
+	private UuidInterface $uuid;
 	/**
 	 * @param mixed[] $extraData
 	 * @phpstan-param array<string, mixed> $extraData
 	 */
 	public function __construct(
 		private string $username,
-		private UuidInterface $uuid,
+		?UuidInterface $uuid,
 		private Skin $skin,
 		private string $locale,
 		private array $extraData = []
 	){
 		$this->username = TextFormat::clean($username);
+		$this->uuid = $uuid ?? self::generateServerAuthoritativeUuid($this->username);
+	}
+
+	/**
+	 * Generates a UUID based on the player's username. This is used for any non-authenticated player, as we can't
+	 * trust UUIDs sent by unauthenticated players.
+	 */
+	public static function generateServerAuthoritativeUuid(string $username) : UuidInterface{
+		//TODO: should we be cleaning the username here?
+		return Uuid::uuid5(self::UNAUTHENTICATED_PLAYER_UUID_NS, TextFormat::clean($username));
 	}
 
 	public function getUsername() : string{
diff --git a/src/player/XboxLivePlayerInfo.php b/src/player/XboxLivePlayerInfo.php
index 8a17ee744..1d2bdd0e0 100644
--- a/src/player/XboxLivePlayerInfo.php
+++ b/src/player/XboxLivePlayerInfo.php
@@ -48,7 +48,7 @@ final class XboxLivePlayerInfo extends PlayerInfo{
 	public function withoutXboxData() : PlayerInfo{
 		return new PlayerInfo(
 			$this->getUsername(),
-			$this->getUuid(),
+			null, //we can't trust UUIDs of non-XBL players - replace this with a server-generated UUID
 			$this->getSkin(),
 			$this->getLocale(),
 			$this->getExtraData()